Bug 46755

Summary:	simplesamlphp: Multiple Issues (4.1)
Product:	UCS	Reporter:	Arvid Requate <requate>
Component:	Security updates	Assignee:	Arvid Requate <requate>
Status:	CLOSED FIXED	QA Contact:	Erik Damrose <damrose>
Severity:	critical
Priority:	P5	CC:	damrose, hahn, requate
Version:	UCS 4.1	Flags:	requate: Patch_Available+
Target Milestone:	UCS 4.1-5-errata
Hardware:	All
OS:	Linux
URL:	https://www.debian.org/security/2018/dsa-4127
What kind of report is it?:	Security Issue	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):
Max CVSS v3 score:	9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) NVD
Bug Depends on:
Bug Blocks:	46480

Description Arvid Requate

2018-03-28 15:30:59 CEST

UCS-4.1 uses a version of simplesamlphp (1.13.2) that is close to the version maintained in Debian Jessie:


Upstream Debian package version 1.13.1-2+deb8u1 provides patches for:

CVE-2017-12867  5.9     The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.
CVE-2017-12869  7.5     The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows remote attackers to bypass authentication context restrictions and use an authentication source defined in config/authsources.php via vectors related to improper validation of user input.
CVE-2017-12873  9.8     SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured.
CVE-2017-12874  7.5     The InfoCard module 1.0 for SimpleSAMLphp allows attackers to spoof XML messages by leveraging an incorrect check of return values in signature validation utilities.
CVE-2017-18121  6.1     The consentAdmin module in SimpleSAMLphp through 1.14.15 is vulnerable to a Cross-Site Scripting attack, allowing an attacker to craft links that could execute arbitrary JavaScript code on the victim's web browser.
CVE-2017-18122  8.1     A signature-validation bypass issue was discovered in SimpleSAMLphp through 1.14.16. A SimpleSAMLphp Service Provider using SAML 1.1 will regard as valid any unsigned SAML response containing more than one signed assertion, provided that the signature of at least one of the assertions is valid. Attributes contained in all the assertions received will be merged and the entityID of the first assertion received will be used, allowing an attacker to impersonate any user of any IdP given an assertion signed by the targeted IdP.
CVE-2018-6519   7.5     The SAML2 library before 1.10.4, 2.x before 2.3.5, and 3.x before 3.1.1 in SimpleSAMLphp has a Regular Expression Denial of Service vulnerability for fraction-of-seconds data in a timestamp.
CVE-2018-6521   9.8     The sqlauth module in SimpleSAMLphp before 1.15.2 relies on the MySQL utf8 charset, which truncates queries upon encountering four-byte characters. There might be a scenario in which this allows remote attackers to bypass intended access restrictions.

and

CVE-2018-7644 7.5 Critical signature validation vulnerability.

Comment 1 Arvid Requate

2018-03-28 15:39:08 CEST

Package cherrypicked from UCS 4.1-0 to errata4.1-5.
Patches extracted from the Debian jessie source package and merged to the corresponding svn/patches directory.
Package built in errata4.1-5.

Advisory: simplesamlphp.yaml (text copied from Bug 46480 advisory).

Comment 2 Erik Damrose

2018-03-29 11:16:18 CEST

OK: patches at simplesamlphp/4.1-0-0-ucs/1.13.2-1-errata4.1-5
OK: package build included patches
OK: yaml
OK: SSO Auth to UMC
Verified

Comment 3 Philipp Hahn

2018-04-04 16:43:59 CEST

<http://errata.software-univention.de/ucs/4.1/501.html>