=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2011/VULN370
_____________________________________________________________________

DATE                      : 09/05/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running OpenID library.

======================================================================
http://openid.net/2011/05/05/attribute-exchange-security-alert/
______________________________________________________________________

Attribute Exchange Security Alert
Posted at 11:01 am on May 5, 2011 by jfe

A group of security researchers identified a flaw in how some OpenID
relying parties implement Attribute Exchange (AX). See below for
information on the suggested fix.
The researchers determined that some sites were not confirming that the
information passed through AX was signed. That allows an attacker to
modify the information. If the site is only using AX to receive
low-security information like a users self-asserted gender, then this
will probably not be a problem. However if it is being used to receive
information that it only trusts the identity provider to assert, then
it creates the potential for an attack.
The researchers contacted the main websites impacted, and those sites
have deployed a fix. OpenID Foundation board members have worked to
identify other websites that were impacted and similarly have them
deploy a fix. There are no known examples of attacks using this
technique.
The OpenID Foundation would like to thank security researchers Rui
Wang, Shuo Chen and XiaoFeng Wang for reporting their findings.

Suggested Fix:
For apps that are vulnerable, we recommend modifying application code
to accept only signed attribute values as an initial step.
We confirmed apps using OpenID4Java are prone to accepting unsigned
attributes. Please update to the latest version of this library (0.9.6
final) if you’re using it or any dependent libraries (such as Step2).
Kay Framework was also vulnerable, but has since been patched in
version 1.0.2. Other libraries may have the same issue though the
default usage of services/libraries from Janrain, Ping Identity and
DotNetOpenAuth are not susceptible to this attack.

This entry was posted on Thursday, May 5th, 2011 at 11:01 am and is
filed under Uncategorized. You can follow any responses to this entry
through the RSS 2.0 feed. You can leave a response, or trackback from
your own site.

======================================================================

          =========================================================
          Les serveurs de rÃ©fÃ©rence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================