Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN146 _____________________________________________________________________ DATE : 18/03/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Shibboleth SP with OpenSAML library package versions prior to 3.3.1. ===================================================================== http://shibboleth.net/community/advisories/secadv_20250313.txt _____________________________________________________________________ Shibboleth Service Provider Security Advisory [13 March 2025] OpenSAML-C++ Security Advisory [13 March 2025] Last updated on [17 March 2025] An updated version of the OpenSAML C++ library is available which corrects a parameter manipulation vulnerability when using SAML bindings that rely on non-XML signatures. The Shibboleth Service Provider is impacted by this issue, and it manifests as a critical security issue in that context. Parameter manipulation allows the forging of signed SAML messages ================================================================= A number of vulnerabilities in the OpenSAML library used by the Shibboleth Service Provider allowed for creative manipulation of parameters combined with reuse of the contents of older requests to fool the library's signature verification of non-XML based signed messages. Most uses of that feature involve very low or low impact use cases without critical security implications; however, there are two scenarios that are much more critical, one affecting the SP and one affecting some implementers who have implemented their own code on top of our OpenSAML library and done so improperly. The SP's support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise). The other critical case involves a mistake that does *not* impact the Shibboleth SP, allowing SSO to occur over the HTTP-Redirect binding contrary to the plain language of the SAML Browser SSO profile. The SP does not support this, but other implementers may have done so. Recommendations =============== Update to V3.3.1 (or later) of the OpenSAML library package. On non-Windows platforms this is sufficient to address the issue with a subsequent restart of the SP's "shibd" daemon to pick up the change. On Windows, the Service Provider V3.5.0.1 (or later) installer contains the updated OpenSAML DLL and must be applied to obtain the fix. In all cases, the "shibd" log file will log the library versions in use and the OpenSAML version should be at least 3.3.1 to indicate the fix is applied. There are two log lines; the one solely containing the OpenSAML version is erroneous on Windows but the subsequent line logging all of the libraries used will contain the correct value. Contrary to the initial publication of this advisory, there is no workaround within the SP configuration other than to remove the "SimpleSigning" security policy rule from the security-policy.xml file entirely. That will also prevent support of legitimate signed requests or responses via the HTTP-Redirect binding, which is generally used only for logout messages within the SP itself. Maintaining support for logout while applying the mitigation to the SP is possible by removing the HTTP-Redirect binding from an SP's metadata so that IdP(s) will select the HTTP-POST binding (using XML-based signatures) in its place. Credits ======= Thanks to Alexander Tan of SecureSAML for discovering and reporting this vulnerability, and reviewing the changes. History ======= Re-published on 2025-03-14 to remove the mention of original ineffective workaround. Re-published on 2025-03-17 to clarify the end of the mitigation section and a mistake in one of the log lines mentioned. URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20250313.txt ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================