Bug 1081288 - (CVE-2014-2684, CVE-2014-2685) CVE-2014-2684 CVE-2014-2685 php-ZendFramework: OpenID identity provider could be used to spoof other identity providers (ZF2014-02)
CVE-2014-2684 CVE-2014-2685 php-ZendFramework: OpenID identity provider could...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20140306,repo...
: Security
Depends On: 1081294 1081295
Blocks: 1081297
  Show dependency treegraph
 
Reported: 2014-03-26 22:05 EDT by Murray McAllister
Modified: 2015-01-04 17:39 EST (History)
3 users (show)

See Also:
Fixed In Version: Zend Framework 1.12.4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-05-29 23:34:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Murray McAllister 2014-03-26 22:05:25 EDT
From the ZF2014-02 advisory:

"Using the Consumer component of ZendOpenId (or Zend_OpenId in ZF1), it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework.

Moreover, the Consumer accepts OpenID tokens with arbitrary signed elements. The framework does not check if, for example, both openid.claimed_id and openid.endpoint_url are signed. It is just sufficient to sign one parameter. According to https://openid.net/specs/openid-authentication-2_0.html#positive_assertions, at least op_endpoint, return_to, response_nonce, assoc_handle, and, if present in the response, claimed_id and identity, must be signed."

This issue has been fixed in version 1.12.4.

External References:

http://framework.zend.com/security/advisory/ZF2014-02
Comment 1 Murray McAllister 2014-03-26 22:07:47 EDT
Created php-ZendFramework tracking bugs for this issue:

Affects: fedora-all [bug 1081294]
Affects: epel-6 [bug 1081295]
Comment 2 Murray McAllister 2014-03-26 22:18:52 EDT
CVE request: http://www.openwall.com/lists/oss-security/2014/03/27/1
Comment 3 Murray McAllister 2014-04-01 02:39:29 EDT
MITRE assigned two CVEs. Quoting from http://seclists.org/oss-sec/2014/q2/0

""
CVE-2014-2684 - This CVE is for the error in the consumer's verify
method that leads to acceptance of wrongly sourced tokens. The same
CVE is used for Zend Framework 1.x and ZendOpenId 2.x, even though the
code is not identical.

CVE-2014-2685 - This CVE is for the specification violation in which
signing of a single parameter is incorrectly considered sufficient.
Again, this CVE is for both Zend Framework 1.x and ZendOpenId 2.x.
""
Comment 4 Fedora Update System 2014-04-14 18:34:55 EDT
php-ZendFramework-1.12.5-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-04-14 18:36:06 EDT
php-ZendFramework-1.12.5-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-04-14 18:40:48 EDT
php-ZendFramework2-2.2.6-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-04-14 18:45:40 EDT
php-ZendFramework2-2.2.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-04-22 15:57:21 EDT
php-ZendFramework2-2.2.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.