Bug#987608: shibboleth-sp: Session recovery feature contains a null pointer deference
Ferenc Wágner
wferi at debian.org
Mon Apr 26 14:16:14 BST 2021
Source: shibboleth-sp
Version: 3.0.2+dfsg1-1
Severity: important
Tags: upstream patch security
Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-927
Shibboleth Service Provider Security Advisory [26 April 2021]
An updated version of the Service Provider software is now
available which corrects a denial of service vulnerability.
Session recovery feature contains a null pointer deference
======================================================================
The cookie-based session recovery feature added in V3.0 contains a
flaw that is exploitable on systems *not* using the feature if a
specially crafted cookie is supplied.
This manifests as a crash in the shibd daemon/service process.
Because it is very simple to trigger this condition remotely, it
results in a potential denial of service condition exploitable by
a remote, unauthenticated attacker.
Versions without this feature (prior to V3.0) are not vulnerable
to this particular issue.
Recommendations
===============
Update to V3.2.2 or later of the Service Provider software, which
is now available.
In cases where this is not immediately possible, configuring a
DataSealer component in shibboleth2.xml (even if used for nothing)
will work around the vulnerability.
For example:
<DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />
This workaround is only possible after having updated the
core configuration to the V3 XML namespace.
Other Notes
===========
The cpp-sp git commit containing the fix for this issue is
5a47c3b9378f4c49392dd4d15189b70956f9f2ec
URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20210426.txt
More information about the Pkg-shibboleth-devel
mailing list