===================================================================== CERT-Renater Note d'Information No. 2013/VULN020 _____________________________________________________________________ DATE : 11/01/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Shibboleth SP version 2.5.x prior to 2.5.2. ====================================================================== http://shibboleth.net/community/advisories/secadv_20130110.txt ______________________________________________________________________ Shibboleth Service Provider Security Advisory [10 January 2013] An updated version of the Shibboleth Project's OpenSAML software in C++ is available which corrects a security issue. Shibboleth SP software crashes on malformed IdP History Cookie ==================================================================== The Service Provider software supports an option, disabled by default, for tracking the history of Identity Providers used by a client. A particular malformation of this cookie can cause the shibd process to crash while appending the latest value to it, resulting in a denial of service. An updated version of OpenSAML-C, V2.5.2, is available that corrects this bug. The bug is not present in versions of the library prior to V2.5.0, so older versions of the Service Provider, such as V2.4.3, are unlikely to be affected unless rebuilt against newer libraries. Note that while the Embedded Discovery Service product we offer also uses a cookie compatible with this feature, the use of a cookie by it is not dependent on this feature within the SP, and does not cause this problem to manifest, nor is its cookie functionality limited by disabling (or more likely leaving disabled) this feature within the SP software. Recommendations =============== Where possible, upgrade to V2.5.2 or later of the OpenSAML-C library. In the interim, you can verify that the "idpHistory" option (found in the shibboleth2.xml element) is unset or false, which disables the use of this cookie. This is the default setting, so unless you enabled it, or applied configuration examples that do so, your system should not be affected. Linux installations relying on official RPM packages can upgrade to the latest opensaml package version to obtain the fix. An updated Macport is also available. Windows systems can apply a patch package [1] containing the fixed library. New installs of the SP software (V2.5.1 or newer) will contain the fix (you can verify after installation that your logs indicate the expected OpenSAML version is used). Credits ======= Thanks to Dan McLaughlin for reporting this issue and assisting with diagnosis and verifying the fix. [1] http://shibboleth.net/downloads/service-provider/2.5.1/patches/ URL for this Security Advisory: http://shibboleth.net/community/advisories/secadv_20130110.txt ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================