Shibboleth Service Provider Security Advisory [Updated 18 June 2006] Updated versions of the Shibboleth 1.3 and 1.2.1 Service Provider software are now available which correct a security issue. This is a MAJOR security issue and deployers are urged to review the information below and upgrade their installations at the soonest possible time. Critical applications that may be vulnerable should be taken offline until the upgrade is performed. Shibboleth SP software vulnerable to header spoofing ==================================================== Shibboleth publishes user attributes associated with authenticated sessions into HTTP request headers, based on header names defined in Attribute Acceptance Policy files. These headers are transformed into CGI environment variables based on mapping rules defined by the CGI specification. The mapping between headers and CGI variables is not exact, and there are multiple header names that can map to the same variable. Different web servers also handle multiple headers and headers that differ only by case or punctuation in unspecified ways. The code in Shibboleth that is designed to clear out the potential headers that could contain authentication and attribute information does not adequately guard against all the possible ways that a header name could be transformed into a given CGI variable. This means that a client could supply a spoofed header with the right name and fool an application into believing that the header was set by the Shibboleth software. The problem is most acute when using the "lazy session" feature, because even headers that the software always sets can be spoofed, but the problem can easily affect even standard deployments. All versions of Shibboleth are vulnerable to this issue. Experiments suggest that Microsoft IIS deployments are not as vulnerable as Apache or Sun/iPlanet servers and the issue is not considered critical for IIS applications. However, the problem is complex. Rather than attempt to fully define the issues here, a wiki topic has been created to collect information regarding the bug and outline potentially vulnerable scenarios both before and after patching the problem. Please refer to this location for more details after patching your system: https://spaces.internet2.edu/display/SHIB/SpoofingBug Recommendations --------------- All sites using 1.3 should upgrade to the latest patched release, 1.3e. All sites using 1.2.1 should upgrade to the latest patched release, 1.2.1c. SP deployments running earlier versions of Shibboleth are urged to upgrade to version 1.3e, or contact the Shibboleth team for assistance. For users running Windows, a new package and post-install set for version 1.3e has been created and is available at the download site. New RPMs (1.3-10) have been created on all supported platforms and updated Solaris packages and Mac binaries are also available. http://shibboleth.internet2.edu/latest.html A source patch is available for version 1.2.1, the last supported version prior to 1.3. The updated source distribution, 1.2.1c, is here: http://shibboleth.internet2.edu/downloads/archive/shibboleth-sp-1.2.1c.tar.gz Credits ------- Thanks to Nicolas Rod for reporting this problem. Also thanks to Velpi, Lukas Haemmerle, and especially Peter Watkins for assisting with revealing the bug and discussing fixes. URL for this Security Advisory: http://shibboleth.internet2.edu/secadv/secadv_20060615.txt