Bug 1194832 (CVE-2015-0277) - CVE-2015-0277 PicketLink: SP does not take Audience condition of a SAML assertion into account
Summary: CVE-2015-0277 PicketLink: SP does not take Audience condition of a SAML asser...
Status: CLOSED ERRATA
Alias: CVE-2015-0277
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20150414,repo...
Keywords: Security
Depends On: 1194840 1194841
Blocks: 1194821 1212496
TreeView+ depends on / blocked
 
Reported: 2015-02-20 21:08 UTC by Chess Hazlett
Modified: 2019-06-11 11:13 UTC (History)
16 users (show)

(edit)
A flaw was found in the way PicketLink's Service Provider and Identity Provider handled certain requests. A remote attacker could use this flaw to log to a victim's account via PicketLink.
Clone Of:
(edit)
Last Closed: 2019-06-08 02:39:00 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker PLINK-678 Major Resolved SP does not take Audience condition of a SAML assertion into account 2018-10-18 19:29 UTC
JBoss Issue Tracker PLINK-680 Major Resolved IdP and SP must validate destination in requests and responses 2018-10-18 19:29 UTC
Red Hat Product Errata RHSA-2015:0846 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 20:17:12 UTC
Red Hat Product Errata RHSA-2015:0847 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 20:13:53 UTC
Red Hat Product Errata RHSA-2015:0848 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 20:26:01 UTC
Red Hat Product Errata RHSA-2015:0849 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 19:39:06 UTC

Description Chess Hazlett 2015-02-20 21:08:12 UTC
flaw 1: in case a PicketLink Service Provider is accessed with assertion with AudienceRestriction element in Conditions element, and Audience elements contains only URIs of parties the SP is not a member of, SP consider such assertion to be valid. However according to SAML2 specification: the audience restriction condition evaluates to Valid if and only if the SAML relying party is a member of one or more of the audiences specified.
Lets have service providers SP1 and SP2, and an identity provider IdP. SP1 and SP2 uses IdP for authentication. Because of the bug, an assertion intended for SP1 could be misused to login to SP2 -- in case an attacker catches the assertion, he could log in not only to SP1 but also to SP2.

flaw 2: In case a PicketLink SP is accessed with assertion with a Destination attribute in Response element, and the Destination attribute is set to any URI, SP never discards response. However according to SAML2 specification, If it is present, the actual recipient MUST check that the URI reference identifies the location at which the massage was received. If it does not, the response MUST be discarded.

Comment 2 JBoss JIRA Server 2015-02-23 15:41:05 UTC
Pedro Igor <pigor.craveiro@gmail.com> updated the status of jira PLINK-680 to Resolved

Comment 5 Martin Prpič 2015-04-16 09:20:16 UTC
Acknowledgement:

This issue was discovered by Ondrej Kotek of Red Hat.

Comment 6 errata-xmlrpc 2015-04-16 15:39:52 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4.0

Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html

Comment 7 errata-xmlrpc 2015-04-16 16:30:14 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:0847 https://rhn.redhat.com/errata/RHSA-2015-0847.html

Comment 8 errata-xmlrpc 2015-04-16 16:32:40 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:0846 https://rhn.redhat.com/errata/RHSA-2015-0846.html

Comment 9 errata-xmlrpc 2015-04-16 16:35:14 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:0848 https://rhn.redhat.com/errata/RHSA-2015-0848.html


Note You need to log in before you can comment on or make changes to this bug.