Detections
Analytics

Debian dla-3485 : php-cas - security update

high Nessus Plugin ID 178052

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

The remote Debian 10 host has a package installed that is affected by a vulnerability as referenced in the dla-3485 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-3485-1 [email protected] https://www.debian.org/lts/security/ Tobias Frost July 08, 2023 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : php-cas Version : 1.3.6-1+deb10u1 CVE ID : CVE-2022-39369 Debian Bug : 1023571

 A vulnerability has been found in phpCAS, a Central Authentication Service client library in php, which may allow an attacker to gain access to a victim's account on a vulnerable CASified service without victim's knowledge, when the victim visits attacker's website while being logged in to the same CAS server.

 The fix for this vulnerabilty requires an API breaking change in php-cas and will require that software using the library be updated.

 For buster, all packages in the Debian repositories which are using php-cas have been updated, though additional manual configuration is to be expected, as php-cas needs additional site information -- the service base URL -- for it to function. The DLAs for the respective packages will have additional information, as well as the package's NEWS files.

 For 3rd party software using php-cas, please be note that upstream provided following instructions how to update this software [1]:

 phpCAS now requires an additional service base URL argument when constructing the client class. It accepts any argument of:

 1. A service base URL string. The service URL discovery will always use this server name (protocol, hostname and port number) without using any external host names.
 2. An array of service base URL strings. The service URL discovery will check against this list before using the auto discovered base URL. If there is no match, the first base URL in the array will be used as the default. This option is helpful if your PHP website is accessible through multiple domains without a canonical name, or through both HTTP and HTTPS.
 3. A class that implements CAS_ServiceBaseUrl_Interface. If you need to customize the base URL discovery behavior, you can pass in a class that implements the interface.

 Constructing the client class is usually done with phpCAS::client().

 For example, using the first possiblity:
 phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
 could become:
 phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, https://casified- service.example.org:8080);


 Details of the vulnerability:

 CVE-2022-39369

 The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to ^(https)://.*) or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied.

 [1] https://github.com/apereo/phpCAS/blob/f3db27efd1f5020e71f2116f637a25cc9dbda1e3/docs/Upgrading#L1C1-L1C1

 For Debian 10 buster, this problem has been fixed in version 1.3.6-1+deb10u1.

 We recommend that you upgrade your php-cas packages.

 For the detailed security status of php-cas please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/php-cas

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade the php-cas packages.

See Also

https://security-tracker.debian.org/tracker/source-package/php-cas

https://security-tracker.debian.org/tracker/CVE-2022-39369

https://packages.debian.org/source/buster/php-cas

Plugin Details

Severity: High

ID: 178052

File Name: debian_DLA-3485.nasl

Version: 1.1

Type: local

Agent: unix

Published: 7/8/2023

Updated: 1/22/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2022-39369

CVSS v3

Risk Factor: High

Base Score: 8

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:php-cas

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 7/8/2023

Vulnerability Publication Date: 10/31/2022

Reference Information

CVE: CVE-2022-39369