Bug#881856: opensaml2: Dynamic MetadataProvider fails to install security filters (CPPOST-105)

Wed Nov 15 20:06:09 UTC 2017

Source: opensaml2
Version: 2.5.3-2
Severity: grave
Tags: patch security upstream
Justification: user security hole
Control: clone -1 -2
Control: reassign -2 shibboleth-sp2 2.5.3+dfsg-2
Control: retitle -2 shibboleth-sp2: Dynamic MetadataProvider fails to install security filters (SSCPP-763)

Hi

As per https://shibboleth.net/community/advisories/secadv_20171115.txt
an issue affecting opensaml2 and shibboleth-sp2:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Service Provider Security Advisory [15 November 2017]

An updated version of the Shibboleth Service Provider software
is available which corrects a critical security issue in the
"Dynamic" metadata provider plugin.

Deployers making use of the affected feature should apply the
relevant update at the soonest possible moment.

NOTE: CVEs for this issue are forthcoming from the Debian Project
and this advisory will be updated if and when they are obtained.

Dynamic MetadataProvider fails to install security filters
============================================================
The Shibboleth Service Provider software includes a MetadataProvider
plugin with the plugin type "Dynamic" to obtain metadata on demand
from a query server, in place of the more typical mode of downloading
aggregates separately containing all of the metadata to load.

All the plugin types rely on MetadataFilter plugins to perform critical
security checks such as signature verification, enforcement of validity
periods, and other checks specific to deployments.

Due to a coding error, the "Dynamic" plugin fails to configure itself
with the filters provided to it and thus omits whatever checks they are
intended to perform, which will typically leave deployments vulnerable
to active attacks involving the substitution of metadata if the network
path to the query service is compromised.

Affected Systems
==================
All versions of the Service Provider software prior to V2.6.1 contain
this vulnerability.

There are no known mitigations to prevent this attack apart from
applying this update. Deployers should take immediate steps, and
may wish to disable the use of this feature until the upgrade is done.

Service Provider Deployer Recommendations
===========================================
Upgrade to V2.6.1 or later of the Service Provider and restart the
shibd service/daemon.

Sites relying on official RPM packages or Macports can update via the
yum and port commands respectively.

For those using platforms unsupported by the project team directly,
refer to your vendor or package source directly for information on
obtaining the fixed version. If the update from your vendor lags,
you may consider building from source for your own use as an interim
step.

The patch commit that corrects this issue can be found at [1].

Additional Recommendations for Federation Operators
=====================================================
Operators of metadata query services in support of this feature may
wish to consider implementing security checks after a suitable upgrade
window has elapsed to prevent use of affected versions or follow up
with deployers. The User Agent string in requests to the service
will contain the version of the software.

Note Regarding OpenSAML Library
=================================
An identical issue exists in the DynamicMetadataProvider class in
the OpenSAML-C library in all versions prior to V2.6.1. Applications
making direct use of this library must be independently updated to
correct this vulnerability, but this fix does not correct the issue
with respect to the use of the Shibboleth SP.

The patch commit that corrects the OpenSAML issue can be found at [2].

Credits
=========
Rod Widdowson, Steading System Software LLP

[1] https://git.shibboleth.net/view/?p=cpp-sp.git;a=commit;
h=b66cceb0e992c351ad5e2c665229ede82f261b16

[2] https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;
h=6182b0acf2df670e75423c2ed7afe6950ef11c9d

URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20171115.txt

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAloMTwMACgkQN4uEVAIn
eWKF4hAAqJxTRUQd/BxyQA4Cnq0ysA4A+Ld1+odGrBGQp4zKjmY4lK1SqbKKsPV3
7fJvFfmojZ5nWE/KtwHSoFyqAFqYLy/2MtwMUkF/lNQTQdgjVAJ0jTRSIvMZw0H+
PGfniwN+qSowwNQe6/nV9TbkSbFEfJSWcQ+VZkzchltwD4I2DQR7VTy4rlDfTj3L
WTpz7+2927pawl0ELwYF4wdDf0JTA0b7hYy9Hbm0WZyOiN+nl//zTV2ZtzlwWt+k
fNilA4BVl5OPmosp1FuPgsxCThRkHrr9SIwDeQDngSQqp8zomhDAuFLV6AZEuPXT
hVoysaQDe12bbx6680uGSIvSs35qCiuqe8em+8Dek/Abiu0NDvPlpP01vMxYQc+U
RN5emyWyFIbt4JDbYIaBz0sBYDcRNTMQrt/a5EQ1NCGx8mm5UIeDXacdd1MWb9hj
f+KfO68JHMxZuONj5RysvByi6EyOuBuoGDsXoEzzGQQtmNa8e1wQurJYDnSAp+uA
xayZKA2ea2FRpI0ON1UaZLARrn6o0Jf28FrbVO+h7e2wiX3la0oQKF5qBJ0sBYhP
5fXR/otDKeAz/3kZC/iSsDXY+ApLYurNk9AKMP4hfAfk5/xpBA7IisGk+w3RlJju
d3iu9xFlcShS+pXbf1+P5qW1QFXZYnPU3gJlzTKcNbqcOPbLS/8=
=IpAG
-----END PGP SIGNATURE-----

There is though the statement that CVEs will be assigned by the Debian
project. This cannot be done, since the fix was already in the
repository when asked and a CVE needs to be assigned via the MITRE
primary CNA.

Fixes for oldstable and stable are pending and already prepared by
Ferenc Wágner.

Regards,
Salvatore