Detections
Analytics

FreeBSD : shibboleth-sp -- Parameter manipulation allows the forging of signed SAML messages (0b43fac4-005d-11f0-a540-6cc21735f730)

high Nessus Plugin ID 232723

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 0b43fac4-005d-11f0-a540-6cc21735f730 advisory.

 The Shibboleth Project reports:

 An updated version of the OpenSAML C++ library is available which corrects a parameter manipulation vulnerability when using SAML bindings that rely on non-XML signatures. The Shibboleth Service Provider is impacted by this issue, and it manifests as a critical security issue in that context.


 Parameter manipulation allows the forging of signed SAML messages


 A number of vulnerabilities in the OpenSAML library used by the Shibboleth Service Provider allowed for creative manipulation of parameters combined with reuse of the contents of older requests to fool the library's signature verification of non-XML based signed messages.


 Most uses of that feature involve very low or low impact use cases without critical security implications;
 however, there are two scenarios that are much more critical, one affecting the SP and one affecting some implementers who have implemented their own code on top of our OpenSAML library and done so improperly.


 The SP's support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise).


 The other critical case involves a mistake that does *not* impact the Shibboleth SP, allowing SSO to occur over the HTTP-Redirect binding contrary to the plain language of the SAML Browser SSO profile. The SP does not support this, but other implementers may have done so.


 Prior to updating, it is possible to mitigate the POST-SimpleSign vulnerability by editing the protocols.xml configuration file and removing this line:
 <Binding id=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign path=/SAML2/POST-SimpleSign />


Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://shibboleth.net/community/advisories/secadv_20250313.txt

http://www.nessus.org/u?33981f8f

Plugin Details

Severity: High

ID: 232723

File Name: freebsd_pkg_0b43fac4005d11f0a5406cc21735f730.nasl

Version: 1.2

Type: local

Published: 3/14/2025

Updated: 3/15/2025

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/o:freebsd:freebsd, p-cpe:/a:freebsd:freebsd:opensaml

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Exploit Ease: No known exploits are available

Patch Publication Date: 3/13/2025

Vulnerability Publication Date: 3/13/2025