Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Service Provider before 2.6.1.4 on Windows and other products, mishandles digital signatures of user data, which allows remote attackers to obtain sensitive information or conduct impersonation attacks via crafted XML data. NOTE: this issue exists because of an incomplete fix for CVE-2018-0486.

This update for xmltooling fixes the following issues :

  - CVE-2018-0489: Fixed a security bug when xmltooling     mishandled digital signatures of user data, which allows     remote attackers to obtain sensitive information or     conduct impersonation attacks via crafted XML data.
    NOTE: this issue exists because of an incomplete fix for     CVE-2018-0486. (bsc#1083247)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xmltooling fixes the following issues :

  - CVE-2018-0489: Fixed a security bug when xmltooling     mishandled digital signatures of user data, which allows     remote attackers to obtain sensitive information or     conduct impersonation attacks via crafted XML data.
    NOTE: this issue exists because of an incomplete fix for     CVE-2018-0486. (bsc#1083247)

This update was imported from the SUSE:SLE-12-SP1:Update update project.

The version of Shibboleth Service Provider installed on the remote host is version 2.0 prior to 2.6. As a result it is affected by a user attribute forgery issue which could allow an attacker to impersonate a valid user and gain access to sensitive information.

Note: Though versions higher than 2.6 are not vulnerable, 2.6.1.4 contains a patch for the affected library (XMLTooling-C) and is recommended by the vendor.

Shibboleth consortium reports :

Shibboleth SP software vulnerable to additional data forgery flaws

The XML processing performed by the Service Provider software has been found to be vulnerable to new flaws similar in nature to the one addressed in an advisory last month.

These bugs involve the use of other XML constructs rather than entity references, and therefore required additional mitigation once discovered. As with the previous issue, this flaw allows for changes to an XML document that do not break a digital signature but can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information.

As before, the use of XML Encryption is a significant mitigation, but we have not dismissed the possibility that attacks on the Response 'envelope' may be possible, in both the original and this new case. No actual attacks of this nature are known, so deployers should prioritize patching systems that expect to handle unencrypted SAML assertions.

An updated version of XMLTooling-C (V1.6.4) is available that protects against these new attacks, and should help prevent similar vulnerabilities in the future.

Unlike the previous case, these bugs are NOT prevented by any existing Xerces-C parser version on any platform and cannot be addressed by any means other than the updated XMLTooling-C library.

The Service Provider software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type Definition (DTD) processing.

Through addition/manipulation of a DTD, it's possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information.

While newer versions of the xerces-c3 parser are configured by the SP into disallowing the use of a DTD via an environment variable, this feature is not present in the xerces-c3 parser before version 3.1.4, so an additional fix is being provided now that an actual DTD exploit has been identified. Xerces-c3-3.1.4 was committed to the ports tree already on 2016-07-26.

Kelby Ludwig and Scott Cantor discovered that the Shibboleth service provider is vulnerable to impersonation attacks and information disclosure due to incorrect XML parsing. For additional details please refer to the upstream advisory at https://shibboleth.net/community/advisories/secadv_20180227.txt

ID	Name	Product	Family	Severity
108451	SUSE SLES12 Security Update : xmltooling (SUSE-SU-2018:0720-1)	Nessus	SuSE Local Security Checks	medium
108440	openSUSE Security Update : xmltooling (openSUSE-2018-276)	Nessus	SuSE Local Security Checks	medium
107267	Shibboleth 2.0 < 2.6 XMLTooling-C DTD Processing Forgery Vulnerability	Nessus	Windows	medium
107042	FreeBSD : shibboleth-sp -- vulnerable to forged user attribute data (22438240-1bd0-11e8-a2ec-6cc21735f730)	Nessus	FreeBSD Local Security Checks	medium
107026	Debian DSA-4126-1 : xmltooling - security update	Nessus	Debian Local Security Checks	medium

Detections

Analytics

CVE-2018-0489

medium

Tenable Plugins

medium

medium

medium

medium

medium