Bug 1194832 (CVE-2015-0277)

Summary: CVE-2015-0277 PicketLink: SP does not take Audience condition of a SAML assertion into account
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cdewolf, dandread, darran.lofthouse, jason.greene, jawilson, kkhan, lgao, myarboro, pgier, psilva, pskopek, pslavice, rsvoboda, security-response-team, twalsh, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the way PicketLink's Service Provider and Identity Provider handled certain requests. A remote attacker could use this flaw to log to a victim's account via PicketLink.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:39:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1194840, 1194841    
Bug Blocks: 1194821, 1212496    

Description Chess Hazlett 2015-02-20 21:08:12 UTC 
flaw 1: in case a PicketLink Service Provider is accessed with assertion with AudienceRestriction element in Conditions element, and Audience elements contains only URIs of parties the SP is not a member of, SP consider such assertion to be valid. However according to SAML2 specification: the audience restriction condition evaluates to Valid if and only if the SAML relying party is a member of one or more of the audiences specified.
Lets have service providers SP1 and SP2, and an identity provider IdP. SP1 and SP2 uses IdP for authentication. Because of the bug, an assertion intended for SP1 could be misused to login to SP2 -- in case an attacker catches the assertion, he could log in not only to SP1 but also to SP2.

flaw 2: In case a PicketLink SP is accessed with assertion with a Destination attribute in Response element, and the Destination attribute is set to any URI, SP never discards response. However according to SAML2 specification, If it is present, the actual recipient MUST check that the URI reference identifies the location at which the massage was received. If it does not, the response MUST be discarded.
Comment 2 JBoss JIRA Server 2015-02-23 15:41:05 UTC 
Pedro Igor <pigor.craveiro> updated the status of jira PLINK-680 to Resolved
Comment 3 Pedro Igor 2015-02-23 15:44:14 UTC 
Fixed in commits:

# Audience validation
http://git.app.eng.bos.redhat.com/git/picketlink25.git/commit/?h=eap-6.x&id=f89de9cc28f73e1f99d27582a64cae0f82430410
http://git.app.eng.bos.redhat.com/git/picketlink-bindings-25.git/commit/?h=eap-6.x&id=a449a83438f4d8d52c3c901908aec14233f04a16

# Destination validation
http://git.app.eng.bos.redhat.com/git/picketlink25.git/commit/?h=eap-6.x&id=7b10ea2d3385804c69b672032510609831d12aad
http://git.app.eng.bos.redhat.com/git/picketlink-bindings-25.git/commit/?h=eap-6.x&id=8172cc0d4986a5dc2d3a236704b3fcced6249cee
Comment 5 Martin Prpič 2015-04-16 09:20:16 UTC 
Acknowledgement:

This issue was discovered by Ondrej Kotek of Red Hat.
Comment 6 errata-xmlrpc 2015-04-16 15:39:52 UTC 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4.0

Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html
Comment 7 errata-xmlrpc 2015-04-16 16:30:14 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:0847 https://rhn.redhat.com/errata/RHSA-2015-0847.html
Comment 8 errata-xmlrpc 2015-04-16 16:32:40 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:0846 https://rhn.redhat.com/errata/RHSA-2015-0846.html
Comment 9 errata-xmlrpc 2015-04-16 16:35:14 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:0848 https://rhn.redhat.com/errata/RHSA-2015-0848.html