ALERT: Update Shibboleth SP software for critical vulnerability

Monday, March 11, 2019

This information was sent to U-M IT staff groups via email on March 11, 2019. It  is intended for U-M IT staff who are responsible for Shibboleth Service Providers (SPs), as well as U-M units or groups that run or contract for services that make use of the Shibboleth at U-M service.

Summary

There is a critical vulnerability in the Shibboleth Service Provider (SP) software that, if exploited, could allow an attacker to cause Shibboleth to crash through a denial-of-service attack. Shibboleth is widely used at U-M and at research and education communities worldwide for logging in to websites and web-based applications.

Problem

There is a critical denial-of-service vulnerability in the Shibboleth Service Provider software that could allow an attacker to cause Shibboleth to crash. Upgrade to the latest version as soon as possible after appropriate testing to fix this.

Affected Versions

This issue is not specific to the V3 XMLTooling software and is believed to impact all versions of Shibboleth SP prior to V3.0.4.

Action Items

Information Assurance (IA) recommends that you upgrade Shibboleth SPs to the latest version as soon as possible after appropriate testing. The Shibboleth Project has provided these recommendations:

  • Update to V3.0.4 or later of the XMLTooling library, which is now available.
  • The updated version of the library has been included in a V3.0.4 patch release of the Service Provider software on Windows.

See the Shibboleth site for downloads and release notes:

If your Shibboleth SP uses SAML software that is provided by a vendor:

  • Understand your vendor's vulnerability disclosure process.
  • Subscribe to the appropriate communication channels to be notified of vendor updates.
  • Run a supported, up-to-date version of the software.

Threats

If exploited, the vulnerability could be used by an attacker to cause Shibboleth SPs to crash through a denial-of-service attack. We believe that attackers could easily exploit this vulnerability to cause significant service outages.

Technical Details

Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type. This generally manifests as a crash in the calling code, which in the Service Provider software's case is usually the shibd daemon process, but can be Apache in some cases. Note that the crash occurs prior to evaluation of a message's authenticity, so it can be exploited by an attacker.

How We Protect U-M

This communication is being sent to those across the university who maintain and contract for machines running Shibboleth SP software, including those within Information and Technology Services (ITS). IA staff members are available to consult and assist with the needed upgrade as needed. Contact the ITS Service Center.

This particular Shibboleth vulnerability was identified by IA. While doing a penetration test that a U-M unit had requested, an IA staff member noticed that the Shibboleth SP on the machine being tested had stopped working. Through further testing, he confirmed a denial-of-service vulnerability. He then built the Shibboleth SP application from source code on an ITS server, debugged it, identified the problem, and figured out how to fix it. IA then provided full details to the Shibboleth Consortium so that a patch could be prepared and released.

Information for Users

Shibboleth is federated identity management software used to provide single sign-on. It allows members of the university community to log in to university-provided cloud services, such as U-M Google and U-M Box, using their uniqname and UMICH (Level-1) password. Users do not need to do anything related to this vulnerability. Shibboleth SP software needs to be updated by system administrators.

Questions, Concerns, Reports

Questions about upgrading Shibboleth SP software can be directed to the ITS Service Center.