====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN486
_____________________________________________________________________

DATE                : 01/09/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Shibboleth Service Provider
                              versions prior to 3.1.0.2.

=====================================================================
https://shibboleth.net/community/advisories/secadv_20200831.txt
_____________________________________________________________________


Shibboleth Service Provider Security Advisory [31 August 2020]

An updated version of the "modern" module for Microsoft IIS V7+ is
available which corrects a denial of service vulnerability.

IIS module fails to trap exceptions raised by network socket failures
======================================================================
The modern IIS module contains a flaw that fails to catch and handle
exceptions that occur on a particular code path that results from
failed attempts to read data from the HTTP client socket.

This manifests as a crash in the IIS worker process along with a
fatal log mssage in the Windows event log.

Because it is possible experimentally to trigger this condition
remotely, it results in a potential denial of service condition
exploitable by a remote, unauthenticated attacker.

This issue is specific to the newer IIS module and does not impact
the older ISAPI filter/extension or the Apache modules or any other
SP integration variants.

Recommendations
===============
Update to V3.1.0.2 or later of the Windows installation package,
which is now available.

The fix is being distributed as a Windows service update (the fourth
digit) rather than a full patch since it is isolated to a DLL specific
to the Windows package.

Other Notes
===========
The cpp-sp git commit containing the fix for this issue is
a2cfc1526b86d36d2afd921a1bf1029e79af4267

Credits
=======
Jos Groot Lipman from Aareon Nederland B.V.


URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20200831.txt

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================