Bug 1081288 (CVE-2014-2684, CVE-2014-2685) - CVE-2014-2684 CVE-2014-2685 php-ZendFramework: OpenID identity provider could be used to spoof other identity providers (ZF2014-02)
Summary: CVE-2014-2684 CVE-2014-2685 php-ZendFramework: OpenID identity provider could...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-2684, CVE-2014-2685
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1081294 1081295
Blocks: 1081297
TreeView+ depends on / blocked
 
Reported: 2014-03-27 02:05 UTC by Murray McAllister
Modified: 2021-02-17 06:44 UTC (History)
3 users (show)

Fixed In Version: Zend Framework 1.12.4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-05-30 03:34:06 UTC
Embargoed:

Attachments (Terms of Use)

Description Murray McAllister 2014-03-27 02:05:25 UTC 
From the ZF2014-02 advisory:

"Using the Consumer component of ZendOpenId (or Zend_OpenId in ZF1), it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework.

Moreover, the Consumer accepts OpenID tokens with arbitrary signed elements. The framework does not check if, for example, both openid.claimed_id and openid.endpoint_url are signed. It is just sufficient to sign one parameter. According to https://openid.net/specs/openid-authentication-2_0.html#positive_assertions, at least op_endpoint, return_to, response_nonce, assoc_handle, and, if present in the response, claimed_id and identity, must be signed."

This issue has been fixed in version 1.12.4.

External References:

http://framework.zend.com/security/advisory/ZF2014-02
Comment 1 Murray McAllister 2014-03-27 02:07:47 UTC 
Created php-ZendFramework tracking bugs for this issue:

Affects: fedora-all [bug 1081294]
Affects: epel-6 [bug 1081295]
Comment 2 Murray McAllister 2014-03-27 02:18:52 UTC 
CVE request: http://www.openwall.com/lists/oss-security/2014/03/27/1
Comment 3 Murray McAllister 2014-04-01 06:39:29 UTC 
MITRE assigned two CVEs. Quoting from http://seclists.org/oss-sec/2014/q2/0

""
CVE-2014-2684 - This CVE is for the error in the consumer's verify
method that leads to acceptance of wrongly sourced tokens. The same
CVE is used for Zend Framework 1.x and ZendOpenId 2.x, even though the
code is not identical.

CVE-2014-2685 - This CVE is for the specification violation in which
signing of a single parameter is incorrectly considered sufficient.
Again, this CVE is for both Zend Framework 1.x and ZendOpenId 2.x.
""
Comment 4 Fedora Update System 2014-04-14 22:34:55 UTC 
php-ZendFramework-1.12.5-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-04-14 22:36:06 UTC 
php-ZendFramework-1.12.5-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-04-14 22:40:48 UTC 
php-ZendFramework2-2.2.6-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-04-14 22:45:40 UTC 
php-ZendFramework2-2.2.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-04-22 19:57:21 UTC 
php-ZendFramework2-2.2.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.