FreeBSD: VID-0B43FAC4-005D-11F0-A540-6CC21735F730: shibboleth-sp -- Parameter manipulation allows the forging of signed SAML messages

The Shibboleth Project reports:

An updated version of the OpenSAML C++ library is available

which corrects a parameter manipulation vulnerability when using

SAML bindings that rely on non-XML signatures. The Shibboleth

Service Provider is impacted by this issue, and it manifests as

a critical security issue in that context.

Parameter manipulation allows the forging of signed SAML messages

A number of vulnerabilities in the OpenSAML library used by the

Shibboleth Service Provider allowed for creative manipulation of

parameters combined with reuse of the contents of older requests

to fool the library's signature verification of non-XML based

signed messages.

Most uses of that feature involve very low or

low impact use cases without critical security implications;

however, there are two scenarios that are much more critical,

one affecting the SP and one affecting some implementers who

have implemented their own code on top of our OpenSAML library

and done so improperly.

The SP's support for the HTTP-POST-SimpleSign SAML binding for

Single Sign-On responses is its critical vulnerability, and it

is enabled by default (regardless of what one's published SAML

metadata may advertise).

The other critical case involves a mistake that

does *not* impact the Shibboleth SP, allowing SSO to occur over

the HTTP-Redirect binding contrary to the plain language of the

SAML Browser SSO profile. The SP does not support this, but

other implementers may have done so.

Prior to updating, it is possible to mitigate the POST-SimpleSign

vulnerability by editing the protocols.xml configuration file and

removing this line:

path="/SAML2/POST-SimpleSign" />