FreeBSD : shibboleth-sp -- vulnerable to forged user attribute data (3dbe9492-f7b8-11e7-a12d-6cc21735f730)

medium Nessus Plugin ID 106036

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Shibboleth consortium reports :

Shibboleth SP software vulnerable to forged user attribute data

The Service Provider software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type Definition (DTD) processing.

Through addition/manipulation of a DTD, it's possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information.

While newer versions of the xerces-c3 parser are configured by the SP into disallowing the use of a DTD via an environment variable, this feature is not present in the xerces-c3 parser before version 3.1.4, so an additional fix is being provided now that an actual DTD exploit has been identified. Xerces-c3-3.1.4 was committed to the ports tree already on 2016-07-26.

Solution

Update the affected packages.

See Also

https://shibboleth.net/community/advisories/secadv_20180112.txt

http://www.nessus.org/u?8ba1d738

Plugin Details

Severity: Medium

ID: 106036

File Name: freebsd_pkg_3dbe9492f7b811e7a12d6cc21735f730.nasl

Version: 1.5

Type: local

Published: 1/15/2018

Updated: 11/10/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.3

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:xerces-c3, p-cpe:/a:freebsd:freebsd:xmltooling, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 1/12/2018

Vulnerability Publication Date: 1/12/2018

Reference Information

CVE: CVE-2018-0486