The Shibboleth Consortium announced today a security advisory for all versions of Shibboleth Service Provider (SP).
Please note that this security advisory does NOT impact Shibboleth Identity Providers (IdP).
According to the security advisory
the problem exists due to the version of the XMLTooling-C library used
by Shibboleth. This library is used by Shibboleth to parse the XML
content of the SAML Assertions that are posted to the service provider.
“make it impossible to fully disable Document Type Definition (DTD) processing.”
addition/manipulation of a DTD, it’s possible to make changes to an XML
document that do not break a digital signature but are mishandled by
the SP and its libraries. These manipulations can alter the user data
passed through to applications behind the SP and result in impersonation
attacks and exposure of protected information.”
Therefore this vulnerability can result in a malicious user modifying a SAML assertion.
Are you vulnerable?
platforms are more vulnerable than others; for example Windows systems
have a version of the XMLTooling which has DTD-specification disabled.
Linux (and Mac) systems running Shibboleth SP, however, currently appear
to be vulnerable.
If you are not using the Shibboleth SP v2.6.1 we recommend immediately updating.
Furthermore, if you are using the 2.6.1 release of Shibboleth, please ensure that your XMLTooling libraries are up-to-date.
Red Hat/CentOS, we recommend using the official Shibboleth
Repositories. To see a list of all packages which need updating within
$ sudo yum --disablerepo='*' --enablerepo='security_shibboleth' list available
Non-RPM-based installations will need to manually update to v.1.6.3 of the XMLTooling-C library.
BCS Engineering is always available to assist with emergency patching, or with planning for updates for your Shibboleth or SAML-based Single Sign On (SSO) Infrastructure. Contact us to schedule a consultation with one of our Shibboleth Engineers regarding your SSO environment today!