ADVISORY: Update for Shibboleth Service Providers

Tuesday, June 13, 2023

This message was sent to U-M IT groups on Tuesday, 6/13/2023. It is intended for Shibboleth Service Providers (SPs).

Summary

The XMLTooling library in OpenSAML and Shibboleth Service Provider software contains a server-side request forgery (SSRF) vulnerability. Update to version 3.2.4 or later of the XMLTooling library to fix the vulnerability.

Problem

A vulnerability in the XMLTooling library in OpenSAML and Shibboleth Service Provider software could allow for denial of service attacks on Service Providers.

Threats

As of the time of this notification, we are not yet aware of any active exploitation of this vulnerability and we are not aware of the availability of any exploit code. If this changes, that will increase the urgency of addressing this issue.

Affected Versions

All versions of the XMLTooling software prior to version 3.2.4.

Action Items

Update to v3.2.4 or later of the XMLTooling library. The xmltooling git commit containing the fix for this issue is 6080f6343f98fec085bc0fd746913ee418cc9d3.

Note that on Linux and similar platforms, upgrading this component will require restarting the shibd process to correct the bug.

Technical Details

Including certain content in the KeyInfo element defined by the XML Signature standard will result in attempts by the SP's shibd process to dereference untrusted URLs.

While the content of the URL must be supplied within the message and does not include any SP internal state or dynamic content, there is at minimum a risk of denial of service, and the attack could be combined with others to create more serious vulnerabilities in the future.

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues. Although CrowdStrike Falcon is not designed to prevent denial of service attacks, it does provide significant protection against other types of malicious activities that could result if threat actors are able to use a vulnerability for remote code execution.

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.