Shibboleth Developers

["Scott Cantor" <>]

Below is the updated version of the advisory that I sent a couple of hours
ago. 1.3 has been patched to 1.3a and corrects the problem. I do not have
adequate means to easily test earlier versions, and the patch would take a
little longer in any case because it has to be applied to both the IIS and
Apache modules separately. (in 1.3, this code is in a single library).

If people running 1.2.x are using the lazy session feature, and need the
patch, and are willing to help test it, I'm willing to do it. I doubt I can
package binaries for that right off, but I can release the source.

As noted in the advisory, I don't have the Solaris package and Mac binaries
rebuilt yet for 1.3a, but they should be up by end of today at the latest
and I'll update the advisory text on the web site once they are up.

Thanks again to Velpi for reporting this problem, hopefully 2.5 hours is
adequate turn-around time. ;-)

-- Scott

---

Shibboleth Service Provider Security Advisory [1 September 2005]

Updated versions of the Shibboleth 1.3 Service Provider software
are now available which correct a security issue.

A patch may be made available for earlier versions if conditions
warrant and a volunteer can be found to test it.


Lazy session mechanism vulnerable to header spoofing
====================================================

Shibboleth supports a concept called lazy sessions, fully described
at https://authdev.it.ohio-state.edu/twiki/bin/view/Shibboleth/LazySession

When lazy sessions are used, the code in Shibboleth that is designed
to clear out the potential headers that could contain authentication
and attribute information is not run. This means that a client could
supply a spoofed header with the right name and fool an application
into believing that the header was set by the Shibboleth software.

When the normal "requireSession" mechanism is used, which enforces
a session based on the URL of the request, this code always runs if
the request is passed along to the web server for processing at all.

All versions of Shibboleth that support lazy sessions are vulnerable
to this issue (1.2 and later).


Recommendations
---------------

When possible, upgrade to the latest patched release of Shibboleth,
1.3a.

SP deployments running earlier versions of Shibboleth are urged
to disable the use of lazy sessions and rely only on mandatory
session establishment.

For users running Windows, a new package and post-install set
for version 1.3a has been created and is available at the
download site. New RPMs (1.3-5) have also been created for
Fedora Core 3. Updated Solaris and Mac binaries will be
available shortly.

http://wayf.internet2.edu/shibboleth/

The Win32 distribution file names are:

    o win32/shibboleth-sp-1.3a-win32.msi
      GPG: win32/shibboleth-sp-1.3a-win32.msi.asc
      
    o win32/shibboleth-sp-1.3-win32-postinstall.zip
      GPG: win32/shibboleth-sp-1.3-win32-postinstall.zip.asc

Credits
-------
Thanks to Velpi for reporting this problem.

URL for this Security Advisory:
http://shibboleth.internet2.edu/secadv/secadv_20050901.txt