Bug 1081288 (CVE-2014-2684, CVE-2014-2685)

Summary: CVE-2014-2684 CVE-2014-2685 php-ZendFramework: OpenID identity provider could be used to spoof other identity providers (ZF2014-02)
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: fedora, felix, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Zend Framework 1.12.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-30 03:34:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1081294, 1081295    
Bug Blocks: 1081297    

Description Murray McAllister 2014-03-27 02:05:25 UTC 
From the ZF2014-02 advisory:

"Using the Consumer component of ZendOpenId (or Zend_OpenId in ZF1), it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework.

Moreover, the Consumer accepts OpenID tokens with arbitrary signed elements. The framework does not check if, for example, both openid.claimed_id and openid.endpoint_url are signed. It is just sufficient to sign one parameter. According to https://openid.net/specs/openid-authentication-2_0.html#positive_assertions, at least op_endpoint, return_to, response_nonce, assoc_handle, and, if present in the response, claimed_id and identity, must be signed."

This issue has been fixed in version 1.12.4.

External References:

http://framework.zend.com/security/advisory/ZF2014-02
Comment 1 Murray McAllister 2014-03-27 02:07:47 UTC 
Created php-ZendFramework tracking bugs for this issue:

Affects: fedora-all [bug 1081294]
Affects: epel-6 [bug 1081295]
Comment 2 Murray McAllister 2014-03-27 02:18:52 UTC 
CVE request: http://www.openwall.com/lists/oss-security/2014/03/27/1
Comment 3 Murray McAllister 2014-04-01 06:39:29 UTC 
MITRE assigned two CVEs. Quoting from http://seclists.org/oss-sec/2014/q2/0

""
CVE-2014-2684 - This CVE is for the error in the consumer's verify
method that leads to acceptance of wrongly sourced tokens. The same
CVE is used for Zend Framework 1.x and ZendOpenId 2.x, even though the
code is not identical.

CVE-2014-2685 - This CVE is for the specification violation in which
signing of a single parameter is incorrectly considered sufficient.
Again, this CVE is for both Zend Framework 1.x and ZendOpenId 2.x.
""
Comment 4 Fedora Update System 2014-04-14 22:34:55 UTC 
php-ZendFramework-1.12.5-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-04-14 22:36:06 UTC 
php-ZendFramework-1.12.5-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-04-14 22:40:48 UTC 
php-ZendFramework2-2.2.6-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-04-14 22:45:40 UTC 
php-ZendFramework2-2.2.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-04-22 19:57:21 UTC 
php-ZendFramework2-2.2.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.