Debian DSA-4127-1 : simplesamlphp - security update

critical Nessus Plugin ID 107119

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in SimpleSAMLphp, a framework for authentication, primarily via the SAML protocol.

- CVE-2017-12867 Attackers with access to a secret token could extend its validity period by manipulating the prepended time offset.

- CVE-2017-12869 When using the multiauth module, attackers can bypass authentication context restrictions and use any authentication source defined in the config.

- CVE-2017-12873 Defensive measures have been taken to prevent the administrator from misconfiguring persistent NameIDs to avoid identifier clash. (Affects Debian 8 Jessie only.)

- CVE-2017-12874 The InfoCard module could accept incorrectly signed XML messages in rare occasions.

- CVE-2017-18121 The consentAdmin module was vulnerable to a Cross-Site Scripting attack, allowing an attacker to craft links that could execute arbitrary JavaScript code in the victim's browser.

- CVE-2017-18122 The (deprecated) SAML 1.1 implementation would regard as valid any unsigned SAML response containing more than one signed assertion, provided that the signature of at least one of the assertions was valid, allowing an attacker that could obtain a valid signed assertion from an IdP to impersonate users from that IdP.

- CVE-2018-6519 Regular expression denial of service when parsing extraordinarily long timestamps.

- CVE-2018-6521 Change sqlauth module MySQL charset from utf8 to utf8mb to prevent theoretical query truncation that could allow remote attackers to bypass intended access restrictions

- CVE-2018-7644 Critical signature validation vulnerability.

Solution

Upgrade the simplesamlphp packages.

For the oldstable distribution (jessie), these problems have been fixed in version 1.13.1-2+deb8u1.

For the stable distribution (stretch), these problems have been fixed in version 1.14.11-1+deb9u1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889286

https://security-tracker.debian.org/tracker/CVE-2017-12867

https://security-tracker.debian.org/tracker/CVE-2017-12869

https://security-tracker.debian.org/tracker/CVE-2017-12873

https://security-tracker.debian.org/tracker/CVE-2017-12874

https://security-tracker.debian.org/tracker/CVE-2017-18121

https://security-tracker.debian.org/tracker/CVE-2017-18122

https://security-tracker.debian.org/tracker/CVE-2018-6519

https://security-tracker.debian.org/tracker/CVE-2018-6521

https://security-tracker.debian.org/tracker/CVE-2018-7644

http://www.nessus.org/u?b2a51c10

https://packages.debian.org/source/jessie/simplesamlphp

https://packages.debian.org/source/stretch/simplesamlphp

https://www.debian.org/security/2018/dsa-4127

Plugin Details

Severity: Critical

ID: 107119

File Name: debian_DSA-4127.nasl

Version: 3.3

Type: local

Agent: unix

Published: 3/5/2018

Updated: 11/13/2018

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:simplesamlphp, cpe:/o:debian:debian_linux:8.0, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 3/2/2018

Reference Information

CVE: CVE-2017-12867, CVE-2017-12869, CVE-2017-12873, CVE-2017-12874, CVE-2017-18121, CVE-2017-18122, CVE-2018-6519, CVE-2018-6521, CVE-2018-7644

DSA: 4127