2021-03-17 07:48:31 |
Etienne Dysli Metref |
bug |
|
|
added bug |
2021-03-17 13:14:35 |
Etienne Dysli Metref |
description |
Upstream has given advance warning that a security patch would be released on 2021-03-17 (USA time). See https://shibboleth.net/pipermail/users/2021-March/049488.html
Details to be published at https://shibboleth.net/community/advisories/secadv_20210317.txt |
Upstream has given advance warning that a security patch would be released on 2021-03-17 (USA time). See https://shibboleth.net/pipermail/users/2021-March/049488.html
Details to be published at https://shibboleth.net/community/advisories/secadv_20210317.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Shibboleth Service Provider Security Advisory [17 March 2021]
An updated version of the Service Provider software is available
which fixes a phishing vulnerability.
Template generation allows external parameters to override placeholders
======================================================================
The SP includes a primitive template engine used to render error pages
and various other status or transition pages, and it supports a syntax
for embedding placeholders that are replaced by internally supplied
values or configuration settings.
For reasons that are unclear in the code history, it was extended to
allow replacement via query parameters also, though this is not a
typical need. Because of this feature, it's possible to cause the SP
to display some templates containing values supplied externally by
URL manipulation. Though the values are encoded to prevent script
injection, the content nevertheless appears to come from the server
and so would be interpreted as trustworthy, allowing email addresses,
logos, or support URLs to be manipulated by an attacker.
All platforms are impacted by this issue.
Recommendations
===============
Update to V3.2.1 or later of the Service Provider software, which
is now available.
The update adds a new <Errors> setting to the configuration called
externalParameters, which defaults to false. When false, support for
this "feature" is disabled. In the unlikely event that a valid need
for this exists, the setting can be enabled temporarily to maintain
function until the use case requiring it is addressed in some other
way.
Other Notes
===========
The cpp-sp git commit containing the fix for this issue is
d1dbebfadc1bdb824fea63843c4c38fa69e54379
URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20210317.txt
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmBR7sAACgkQN4uEVAIn
eWLVdw//VSixULMxvdqzJNP7UASXDvtw7GEfAXvUb8SGJ5cFcElu8QSlzqvUB3v5
XUrLJ4RUbHuOXiaNbfZWvPhAldIH3NoQFidwLQFiiF6afLmmSvof/2Xqnhs2DT/y
n2lj2vRUs/vVDfrpvevnd1NByrnFTVi/BhYxZaF8A6Xc9WZG/i0donrh29NW6h1i
SBoyHtW/AQZxLjSRlj2e70i8e7k0BTllHkxEsMhIzO5PkUWRhvNeLSA4M402M6dm
8DPyt16vRFTvwYmBcRvYSt3qS/4BSDskzqEl7dkRumUHveIg6p8y12oRzQiZypLo
v6EEE/DJ3C6EwxQxoXfYcXWQwPcX1Br0A1JD+twBg10QYMW0foLppvHaj0CX8Xpa
n3/kMsEHyKoFef/U2F3UDOFPUfGEi+GgLssUJljIO5DgkujWg04/+Ue78Qd5pBeF
004Aa3EW/HIBAdoCO7KROtSiyyQHLkoh928soSq0GFpbCoEngsDzeJe273bJLAw2
dfV6wq4jqbbf2PE9xFv5GqxI5bbTId70wVo1LG13oI51YtHcy0AnRhm/Kmp3MeUv
ellYvmvUZAGwQOoapD6Qza47JtYwoNdHGQPbCSEgnU9v87xlys0Gy/ThRit9te+c
M66pBMi3o4i5dIEbyvZOCSOekeFBwRP02yuwh8yV0MbUsOEUffw=
=Kl5A
-----END PGP SIGNATURE----- |
|
2021-03-17 15:04:37 |
Etienne Dysli Metref |
information type |
Private Security |
Public Security |
|
2021-03-17 15:23:40 |
Etienne Dysli Metref |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985405 |
|
2021-03-17 15:23:40 |
Etienne Dysli Metref |
bug task added |
|
shibboleth-sp (Debian) |
|
2021-03-17 17:31:30 |
Bug Watch Updater |
shibboleth-sp (Debian): status |
Unknown |
Confirmed |
|
2021-03-18 12:03:45 |
Etienne Dysli Metref |
description |
Upstream has given advance warning that a security patch would be released on 2021-03-17 (USA time). See https://shibboleth.net/pipermail/users/2021-March/049488.html
Details to be published at https://shibboleth.net/community/advisories/secadv_20210317.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Shibboleth Service Provider Security Advisory [17 March 2021]
An updated version of the Service Provider software is available
which fixes a phishing vulnerability.
Template generation allows external parameters to override placeholders
======================================================================
The SP includes a primitive template engine used to render error pages
and various other status or transition pages, and it supports a syntax
for embedding placeholders that are replaced by internally supplied
values or configuration settings.
For reasons that are unclear in the code history, it was extended to
allow replacement via query parameters also, though this is not a
typical need. Because of this feature, it's possible to cause the SP
to display some templates containing values supplied externally by
URL manipulation. Though the values are encoded to prevent script
injection, the content nevertheless appears to come from the server
and so would be interpreted as trustworthy, allowing email addresses,
logos, or support URLs to be manipulated by an attacker.
All platforms are impacted by this issue.
Recommendations
===============
Update to V3.2.1 or later of the Service Provider software, which
is now available.
The update adds a new <Errors> setting to the configuration called
externalParameters, which defaults to false. When false, support for
this "feature" is disabled. In the unlikely event that a valid need
for this exists, the setting can be enabled temporarily to maintain
function until the use case requiring it is addressed in some other
way.
Other Notes
===========
The cpp-sp git commit containing the fix for this issue is
d1dbebfadc1bdb824fea63843c4c38fa69e54379
URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20210317.txt
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmBR7sAACgkQN4uEVAIn
eWLVdw//VSixULMxvdqzJNP7UASXDvtw7GEfAXvUb8SGJ5cFcElu8QSlzqvUB3v5
XUrLJ4RUbHuOXiaNbfZWvPhAldIH3NoQFidwLQFiiF6afLmmSvof/2Xqnhs2DT/y
n2lj2vRUs/vVDfrpvevnd1NByrnFTVi/BhYxZaF8A6Xc9WZG/i0donrh29NW6h1i
SBoyHtW/AQZxLjSRlj2e70i8e7k0BTllHkxEsMhIzO5PkUWRhvNeLSA4M402M6dm
8DPyt16vRFTvwYmBcRvYSt3qS/4BSDskzqEl7dkRumUHveIg6p8y12oRzQiZypLo
v6EEE/DJ3C6EwxQxoXfYcXWQwPcX1Br0A1JD+twBg10QYMW0foLppvHaj0CX8Xpa
n3/kMsEHyKoFef/U2F3UDOFPUfGEi+GgLssUJljIO5DgkujWg04/+Ue78Qd5pBeF
004Aa3EW/HIBAdoCO7KROtSiyyQHLkoh928soSq0GFpbCoEngsDzeJe273bJLAw2
dfV6wq4jqbbf2PE9xFv5GqxI5bbTId70wVo1LG13oI51YtHcy0AnRhm/Kmp3MeUv
ellYvmvUZAGwQOoapD6Qza47JtYwoNdHGQPbCSEgnU9v87xlys0Gy/ThRit9te+c
M66pBMi3o4i5dIEbyvZOCSOekeFBwRP02yuwh8yV0MbUsOEUffw=
=Kl5A
-----END PGP SIGNATURE----- |
Upstream advisory: https://shibboleth.net/community/advisories/secadv_20210317.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Shibboleth Service Provider Security Advisory [17 March 2021]
An updated version of the Service Provider software is available
which fixes a phishing vulnerability.
Template generation allows external parameters to override placeholders
======================================================================
The SP includes a primitive template engine used to render error pages
and various other status or transition pages, and it supports a syntax
for embedding placeholders that are replaced by internally supplied
values or configuration settings.
For reasons that are unclear in the code history, it was extended to
allow replacement via query parameters also, though this is not a
typical need. Because of this feature, it's possible to cause the SP
to display some templates containing values supplied externally by
URL manipulation.
Though the values are encoded to prevent script injection, the content
nevertheless appears to come from the server and so would be interpreted
as trustworthy, allowing email addresses, logos and style sheets, or
support URLs to be manipulated by an attacker.
All platforms are impacted by this issue.
Recommendations
===============
Update to V3.2.1 or later of the Service Provider software, which
is now available.
The update adds a new <Errors> setting to the configuration called
externalParameters, which defaults to false. When false, support for
this "feature" is disabled. In the unlikely event that a valid need
for this exists, the setting can be enabled temporarily to maintain
function until the use case requiring it is addressed in some other
way.
In the event that an update is not possible, reducing or eliminating
some of the more sensitive template replacement values with static
values in the templates may decrease the impact.
Other Notes
===========
The cpp-sp git commit containing the fix for this issue is
d1dbebfadc1bdb824fea63843c4c38fa69e54379
Credits
=======
Toni Huttunen, Fraktal Oy
History
=======
Edited to add credit, and a bit more discussion of style sheet risk
and workarounds.
URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20210317.txt
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmBSD+MACgkQN4uEVAIn
eWJQtBAAp3xxDvDxiQ3bNw+vwJmEOVjJMlwLjBQPmYvV09Pu593xuQj4RWLbZRgK
lZlxHzvXb6dg+bHNl799uCFhcWe8NExB5GnTQPR8/JG1OwgJ0WogezpMYAAvKjkA
LXaDsz7u4DDQ4OBYemkMx3W+0CHhYPw+TLz9rHN+rAKOEGzPLWDT/cKJ75ps19/v
hnQKZ7i7mQobh61zAe5rpi+ziWmDqhzFv4uBOwbuY02UYZQm6+D3BRqAf62Cjnyh
Z/nuZ6Z/5BxitDZBPPSreSl7sMHYzI83RDZGHWgEDjHKZdpYSXpUM3vntuC1pdaO
r4izd97H7nptnuznslu1S0NfkeZlWF3XaaMa8ZrCvMvC62MVK+WvOgFZxE5wmeDZ
3f9Eei//LTE4+B1rQPU99wNbgXdelfXWKkN6hHIXcSlfqG4miAONA86U39JuNovy
S66o9uQG3y55Qp9YcGAca4/9azmr8xQlcKTPFfp2tJrvCwmK3yu0TPbeirPpE9SN
eJhl3/cCenOyN9pMZOZ9MqeIPdlkJ1Qwcd1xs/Jyzqo/LTsvnzVTzaCx0lc6qy/Z
ld3Amkcpo/K2NajWjFVvwx72Yj4Y3DCUvlDrQcNM8Oc2Sv195EDJpXIW8ynqB9aZ
RJUrsmhKRcQKMbfGlHAToMREruW1i3jH1twqS/IOxe7Z4jg5u3A=
=tv1A
-----END PGP SIGNATURE-----
Upstream bug: https://issues.shibboleth.net/jira/browse/SSPCPP-922
Upstream patch: https://git.shibboleth.net/view/?p=cpp-sp.git;a=commit;h=d1dbebfadc1bdb824fea63843c4c38fa69e54379 |
|
2021-03-18 12:04:01 |
Etienne Dysli Metref |
summary |
Template generation allows external parameters to override placeholders |
Phishing vulnerability: Template generation allows external parameters to override placeholders |
|
2021-03-18 12:06:03 |
Etienne Dysli Metref |
attachment added |
|
Patch for focal https://bugs.launchpad.net/debian/+source/shibboleth-sp/+bug/1919419/+attachment/5477904/+files/1-3.0.4+dfsg1-1ubuntu1.debdiff |
|
2021-03-18 12:06:53 |
Etienne Dysli Metref |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2021-03-19 05:42:11 |
Mathew Hodson |
shibboleth-sp (Ubuntu): importance |
Undecided |
Medium |
|
2021-03-20 13:02:53 |
Bug Watch Updater |
shibboleth-sp (Debian): status |
Confirmed |
Fix Released |
|
2021-03-22 09:12:36 |
Etienne Dysli Metref |
cve linked |
|
2021-28963 |
|
2021-03-31 04:34:18 |
Steve Beattie |
shibboleth-sp (Ubuntu): assignee |
|
Steve Beattie (sbeattie) |
|
2021-04-20 17:21:54 |
Steve Beattie |
shibboleth-sp (Ubuntu): status |
New |
In Progress |
|
2021-04-22 21:53:42 |
Launchpad Janitor |
shibboleth-sp (Ubuntu): status |
In Progress |
Fix Released |
|