FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

shibboleth-sp -- vulnerable to forged user attribute data

Affected packages
xmltooling < 1.6.3
xerces-c3 < 3.1.4

Details

VuXML ID 3dbe9492-f7b8-11e7-a12d-6cc21735f730
Discovery 2018-01-12
Entry 2018-01-12

Shibboleth consortium reports:

Shibboleth SP software vulnerable to forged user attribute data

The Service Provider software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type Definition (DTD) processing.

Through addition/manipulation of a DTD, it's possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information.

While newer versions of the xerces-c3 parser are configured by the SP into disallowing the use of a DTD via an environment variable, this feature is not present in the xerces-c3 parser before version 3.1.4, so an additional fix is being provided now that an actual DTD exploit has been identified. Xerces-c3-3.1.4 was committed to the ports tree already on 2016-07-26.

References

CVE Name CVE-2018-0486
URL https://shibboleth.net/community/advisories/secadv_20180112.txt