==================================================================== CERT-Renater Note d'Information No. 2018/VULN043 _____________________________________________________________________ DATE : 12/02/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running simplesamlphp versions prior to 1.15.2, 2.3.5, 3.1.1. ===================================================================== https://simplesamlphp.org/security/201801-03 https://simplesamlphp.org/security/201801-02 https://simplesamlphp.org/security/201801-01 _____________________________________________________________________ Date January 30, 2018 Affected versions SimpleSAMLphp < 1.15.2 Severity Low Reference CVE-2018-6521 201801-03 Use of insecure connection charset (sqlauth module) Background The sqlauth module provides an authentication source (sqlauth:SQL) that allows authenticating users against a database holding their credentials. This module supports any database backend supported by PDO, including MySQL, and the use of unicode code points is allowed both for usernames and passwords. Regarding unicode support, MySQL has long supported the utf8 charset for database, table and column names, as well as for actual contents and connections. This charset, though, only partially implements UTF-8 encoding, despite its name. Description The utf8 connection charset is used by the sqlauth:SQL authentication source in the sqlauth module. Due to the lack of proper support for UTF-8 encoding provided by this charset, encoded symbols that take up four bytes instead of three or less aren't supported. This issue, together with the fact that MySQL truncates a query when an unsupported character is found (in this case, any unicode code point represented with four bytes), could lead to serious security issues such as authentication bypass, unauthorized database manipulation or stored Cross-Site Scripting attacks. Two mitigating factors concur in this case, making the issue not exploitable to the best of our knowledge: The module uses prepared statements to avoid SQL injections. This is an effective countermeasure to avoid SQL query truncation on unsupported characters. The issue is typically exploited with insert or update statements. That would allow an attacker to alter the HTML output produced by a page and execute arbitrary code on the victim's browser (stored XSS). This module uses select statements, effectively removing the possibility to store arbitrary code to be executed. In order to avoid any possible future issues, the connection charset has been changed from utf8 to utf8mb4 when using a MySQL backend, which implements full unicode support. Affected versions All SimpleSAMLphp versions up to (and including) 1.15.1. Impact At of the moment of this writing, there is no known way to exploit the issue described in this advisory. However, the issue could be leveraged by an attacker in combination with other unknown issues in order to: bypass authentication. access and modify the contents of the user's credentials database. perform stored Cross-Site Scripting attacks, running arbitrary code in the victim's web browser. Resolution Upgrade to the latest version. Credit This security issue was discovered during a security audit performed by Cure53 and reported on December 18th 2017. _____________________________________________________________________ Date January 29, 2018 Affected versions SimpleSAMLphp < 1.15.2 Severity Low Reference CVE-2018-6520 201801-02 Open redirection protection bypass Background An open redirection issue happens when a web application performs a redirection to a URL obtained from user input without proper validation. Such an issue allows attackers to craft URLs pointing to a trusted web site which will then redirect to another page under the control of the attacker. This is usually used to give phishing attacks the appearance of legitimacy, making it easier to trick victims into following a link. SimpleSAMLphp 1.12.0 introduced a whitelisting mechanism to address multiple open redirection issues scattered around its code. This whitelisting mechanism enforces the need to manually specify all domains that should be allowed when a redirection happens to a user-provided URL, by means of the trusted.url.domains and trusted.url.regex configuration options. In order to make it as transparent as possible, the very same host where SimpleSAMLphp is running and all hosts found in remote metadata are automatically whitelisted, so that in practice, adding domain names to the white list shouldn't be necessary. Description The particular implementation of this whitelisting mechanism was using a regular expression to validate user-provided URLs and extract the host information to search for it in the white list. This regular expression had an issue that allowed an attacker to build a URL that passed the whitelisting validation, while still being redirected by the web browser to a different URL under their control. The regular expression was not properly taking into account the authority part of the URL, so that its contents could be taken as the host to check against the white list, and the actual host as seen by the browser would be ignored, effectively skipping the validation. The standard parse_url() PHP function is now used instead of a regular expression to validate and parse user-provided URLs. This function, as it was later brought to our attention, is strict with regard to regular slashes and backslashes, while most web browsers transform the latter into the former automatically. Therefore, as an additional validation mechanism, all URLs containing an authority part with a backslash character are now regarded as invalid, leading to an exception. Affected versions All SimpleSAMLphp versions between 1.12.0 and 1.15.1, both included. Impact An attacker may be able to manually craft URLs that could bypass the whitelisting validation mechanism and take advantage of the multiple endpoints in SimpleSAMLphp where a redirection is performed to a user-provided URL. This can be used to perform phishing attacks by providing inconspicuous links that appear legitimate to most users. A mitigating factor is that some popular web browsers alert end users when performing a redirection to a URL that includes a username and password, making the attack less transparent and allowing the victim realize about it. Resolution Upgrade to the latest version. Credit This security issue was discovered during a security audit performed by Cure53 and reported on December 18th 2017. A report detailing further issues in the initial fix was submitted by Juho Nurminen on January 16th 2018. _____________________________________________________________________ Date January 25, 2018 Affected versions simplesamlphp/saml2 < 1.10.4 simplesamlphp/saml2 < 2.3.5 simplesamlphp/saml2 < 3.1.1 Severity Info Reference CVE-2018-6519 201801-01 Denial of Service in timestamp validation function Background SAML messages and metadata use timestamps to express the validity of a given document based on the current time. These timestamps use a common format, xs:DateTime, in order to convey precise moments in time. Even though the SAML standard recommends not relying on time resolutions finer than milliseconds, the fact is that implementors use different precisions and therefore the SAML2 library tries to accommodate for all possible (and legal) values. Description When parsing a timestamp contained inside a SAML document, the SAML2 library uses a regular expression to validate its format and parse its components. The given regular expression sets no limits for the fraction of seconds part, such that an arbitrary amount of digits can be processed. This opens up the possibility to perform a denial of service attack by sending a large number of digits as the fraction of a second in a timestamp, making the processing script choke while evaluating the regular expression. Affected versions All simplesamlphp/saml2 versions 1.x, 2.x and 3.x are affected, up to (including) 1.10.3, 2.3.4 and 3.1, respectively. Impact An attacker can inject an arbitrary amount of digits into a valid xs:DateTime timestamp and send a SAML document with it to be processed by the library, making it hang while trying to process it, effectively achieving a denial of service. Resolution Upgrade to the latest versions of the library. Credit This security issue was discovered during a security audit performed by Cure53 and reported on December 18th 2017. ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================