Apache CXF Authentication bypass in the case of WS-SecurityPolicy

2013.02.11
Credit: Apache
Risk: High
Local: No
Remote: Yes
CVE: CVE-2013-0239
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

CVE-2013-0239: Authentication bypass in the case of WS-SecurityPolicy enabled plaintext UsernameTokens. Severity: Critical Vendor: The Apache Software Foundation Versions Affected: This vulnerability affects all versions of Apache CXF prior to 2.5.9, 2.6.6 and 2.7.3. Description: The following WS-SecurityPolicy 1.3 fragment requires that a WS-Security UsernameToken must be present in the security header of a SOAP request: <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken> If a UsernameToken element is sent with no password child element, then a policy similar to the policy defined above will completely bypass authentication by default. This is due to the use-case of supporting deriving keys from a UsernameToken, where a password element would not be sent in the token. The vulnerability does not apply in any of the following circumstances: a) You are using a custom UsernameTokenValidator which does not allow the 'verifyUnknownPassword' use-case, or that otherwise insists that a password must be present in the token (such as the 'JAASUsernameTokenValidator' in WSS4J). b) You are using a 'sp:HashPassword' policy that requires a hashed password to be present in the token. c) You are using the older style of configuring WS-Security without using WS-SecurityPolicy. If you are relying on WS-SecurityPolicy enabled plaintext UsernameTokens to authenticate users, and if neither points a) nor b) apply, then you must upgrade to a fixed version of CXF (see below), or else configure a custom UsernameTokenValidator implementation to insist that a password element must be present. The fix has been to require a password element in the case of a (non-endorsing) SupportingToken. This has been fixed in revisions: http://svn.apache.org/viewvc?view=revision&revision=1438424 Migration: Users of CXF prior to 2.5.x should upgrade to either 2.5.9, 2.6.6, or 2.7.3. CXF 2.5.x users should upgrade to 2.5.9 as soon as possible. CXF 2.6.x users should upgrade to 2.6.6 as soon as possible. CXF 2.7.x users should upgrade to 2.7.3 as soon as possible. References: http://cxf.apache.org/security-advisories.html

References:

http://cxf.apache.org/security-advisories.html
http://svn.apache.org/viewvc?view=revision&revision=1438424


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top