ADVISORY: Upgrade SAML software (includes Shibboleth) to address vulnerability

Wednesday, February 28, 2018

The information below was sent to IT staff groups via email on February 28, 2018. It is intended for U-M IT staff who are responsible for Shibboleth Service Providers (SPs), as well as U-M units or groups that run or contract for services that make use of the Shibboleth at U-M service.

Summary

There is a new vulnerability class that affects Security Assertion Markup Language (SAML)-based single sign-on (SSO) systems, such as U-M’s Shibboleth service (used by many U-M units that operate web applications). This vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password. This affects Shibboleth and other systems. Those responsible for SAML-based SSO systems should update the affected software to patch this vulnerability and, when possible, configure their Service Provider (SP) to utilize encryption.

Problem

This vulnerability, caused by XML comment handling, can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password. In Shibboleth, the vulnerability allows for changes to an XML document that do not break a digital signature but can alter the user data passed through to applications behind the Service Provider and result in impersonation attacks and exposure of protected information.

Threats

  • Leaked private data: Vulnerable services (Shibboleth + other SAML software) can be leveraged by an unauthenticated attacker to reveal private data about users of the service.
  • Impersonation attacks: Attackers can leverage vulnerable services to impersonate other registered users of the service and potentially gain access to to privileged resources.

Affected Systems

Duo Labs has identified some vendor products affected by the flaw. Additional vendor products and open source libraries are likely affected.

  • OneLogin - python-saml - CVE-2017-11427
  • OneLogin - ruby-saml - CVE-2017-11428
  • Clever - saml2-js - CVE-2017-11429
  • OmniAuth-SAML - CVE-2017-11430
  • Shibboleth - CVE-2018-0489
  • Duo Network Gateway - CVE-2018-7340

At U-M, this is known to at least affect services that utilize the ITS-operated Shibboleth single sign-on service. Action to mitigate this vulnerability needs to be taken by U-M units that operate services that utilize that service.

Action Items

  • Know how to update your SAML software, and keep it up-to-date.
  • If your SAML software is provided by a vendor:
    • Understand your vendor's vulnerability disclosure process.
    • Subscribe to the appropriate communication channels to be notified of vendor updates.
    • Run a supported, up-to-date version of the software.
  • For Shibboleth SPs (such as those applications using U-M’s single sign-on service):
    • Apply updates: An updated version of the Shibboleth Project's XMLTooling library is available that mitigates the identified security issue. Those responsible for Shibboleth SPs should upgrade to V1.6.4 or later of the XMLTooling-C library and restart the affected processes (shibd, Apache, and so on). See the Shibboleth Service Provider Security Advisory for details.
    • Enable encryption: Where possible, implement XML encryption in your SP configuration. XML encryption is a significant mitigation measure to protect private SP communications from this vulnerability. Although there are no demonstrated methods to exploit this vulnerability on Shibboleth SPs employing encryption, it may still be possible. So, even with encryption enabled, the XMLTooling library should also be updated as recommended above.