The Shibboleth Consortium announced today a security advisory for all versions of Shibboleth Service Provider (SP).
Please note that this security advisory does NOT impact Shibboleth Identity Providers (IdP).
According to the security advisory the problem exists due to the version of the XMLTooling-C library used by Shibboleth. This library is used by Shibboleth to parse the XML content of the SAML Assertions that are posted to the service provider. The issues:
“make it impossible to fully disable Document Type Definition (DTD) processing.”
“Through addition/manipulation of a DTD, it’s possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information.”
Therefore this vulnerability can result in a malicious user modifying a SAML assertion.
Are you vulnerable?
Some platforms are more vulnerable than others; for example Windows systems have a version of the XMLTooling which has DTD-specification disabled. Linux (and Mac) systems running Shibboleth SP, however, currently appear to be vulnerable.
If you are not using the Shibboleth SP v2.6.1 we recommend immediately updating.
Furthermore, if you are using the 2.6.1 release of Shibboleth, please ensure that your XMLTooling libraries are up-to-date.
For Red Hat/CentOS, we recommend using the official Shibboleth Repositories. To see a list of all packages which need updating within this repo:
$ sudo yum --disablerepo='*' --enablerepo='security_shibboleth' list available
Non-RPM-based installations will need to manually update to v.1.6.3 of the XMLTooling-C library.
Need help?
BCS Engineering is always available to assist with emergency patching, or with planning for updates for your Shibboleth or SAML-based Single Sign On (SSO) Infrastructure. Contact us to schedule a consultation with one of our Shibboleth Engineers regarding your SSO environment today!