Shibboleth Developers

["Scott Cantor" <>]

Shibboleth Service Provider Security Advisory [4 August 2004]

Updated versions of the Shibboleth Service Provider software
are now available which correct a security issue:


Incorrect SAML request/response correlation
===============================================

Bugs in OpenSAML and libcurl through at least 7.10.8 combine
to result in a possibility of SAML SOAP request messages being
correlated to a SOAP response sent earlier over the same HTTP
connection.

See http://www.opensaml.org/secadv/secadv_20040804.txt for more
information about this issue.

The Shibboleth Service Provider software uses OpenSAML to issue
SAML queries to the Attribute Authority provided as part of the
Shibboleth System. The correlation bug can cause a critical
security exposure if a timeout condition in the "shar" service is
triggered due to a delay in receiving a response. If Keep-Alives
are enabled with that AA, OpenSAML sometimes fails to close the
connection and may associate a later query with a response sent
by the AA in response to the original timed-out query.

The bug can thus cause attributes returned by an AA to be
associated with the wrong user session.

All versions of OpenSAML included with Shibboleth releases
from 1.1 to 1.2 inclusive are potentially affected by this issue.

However, the OpenSAML documentation accompanying Shibboleth
1.2 advises the use of a new enough version of libcurl (7.11.1)
to mitigate the possibility of the bug occurring. The binaries
shipped for Windows with 1.2 also include this version.
Therefore sites running 1.2 (and a libcurl at least as new as
7.11.1) are not immediately affected, but should upgrade at
their earliest convenience.


Recommendations
---------------

Verify that the curl/libcurl version in use is at least
7.11.1.

Upgrade to the latest patched releases of OpenSAML, per the
security advisory here:

http://www.opensaml.org/secadv/secadv_20040804.txt

For those building Shibboleth 1.1 or 1.2 from source, replacing
the version of "libsaml.so" in your installed system will correct
the problem. You DO NOT need to rebuild Shibboleth itself,
and no configuration changes are needed.

For users running Windows, a new package and post-install set
for version 1.2 has been created and is available at the
download site:

http://wayf.internet2.edu/shibboleth/

The distribution file names are:

    o win32/shibboleth-1.2-win32.exe
      GPG: shibboleth-1.2-win32.exe.asc
      
    o win32/shibboleth-1.2-win32-postinstall.zip
      GPG: shibboleth-1.2-win32-postinstall.zip.asc

The postinstall archive can be used to replace the updated files
in an installed version. All files updated since the original
release of version 1.2 are included.

Credits
-------
Patches for these issues were created by Scott Cantor.
(),
 the principal developer.


URL for this Security Advisory:
http://shibboleth.internet2.edu/secadv/secadv_20040804.txt