SiteMinder Products Using SAML Security Notice

2013.03.20
Credit: Kevin Kotas
Risk: High
Local: Yes
Remote: No
CWE: CWE-20


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- CA20130319-01: Security Notice for SiteMinder products using SAML Issued: March 19, 2013 CA Technologies support is alerting customers to a potential risk with certain CA SiteMinder products that implement Security Assertion Markup Language (SAML). Multiple vulnerabilities exist that can possibly allow a remote attacker to gain additional privileges. The vulnerabilities, CVE-2013-2279, concern the verification of XML signatures on SAML statements. An attacker can perform various attacks to impersonate another user in the single sign-on system. A solution is available, see details below. Risk Rating High Platform All platforms Affected Products CA SiteMinder Federation (FSS) 12.5 CA SiteMinder Federation (FSS) 12.0 CA SiteMinder Federation (FSS) r6 CA SiteMinder Federation (Standalone)(1) 12.1 CA SiteMinder Federation (Standalone) 12.0 CA SiteMinder Agent for SharePoint 2010 CA SiteMinder for Secure Proxy Server 12.5 CA SiteMinder for Secure Proxy Server 12.0 CA SiteMinder for Secure Proxy Server 6.0 Note: (1) CA SiteMinder Federation (Standalone) was previously known as CA Federation Manager. Non-Affected Products CA SiteMinder Federation (FSS) 12.5 CR2 CA SiteMinder Federation (FSS) 12.0 SP3 CR12 CA SiteMinder Federation (FSS) r6 SP6 CR10 CA SiteMinder Federation (Standalone) 12.5 CA SiteMinder for Secure Proxy Server 12.5 CR2 CA SiteMinder Agent for SharePoint 2010 SP1 CA SiteMinder Web Access Manager, all releases when not using Federation capabilities How to determine if the installation is affected Check the Web Agent log or Installation log to obtain the installed release version. Note that the "webagent.log" file name is configurable by the SiteMinder administrator. If the version is prior to the fixed release indicated in the Solution section, then the installation is vulnerable. Products may be subject to this vulnerability when used with SAML 1.1, SAML 2.0, and WS-Federation protocols. For more details on potential mitigations, please see the Workaround section below. Solution CA Technologies issued the following updates to address the vulnerability. Updates are available through the Download Center on the CA Technologies support.ca.com website. Affected Release Remediated Release CA SiteMinder Federation (FSS) 12.5 CA SiteMinder Federation (FSS) 12.5 CR2 CA SiteMinder Federation (FSS) 12.0 CA SiteMinder Federation (FSS) 12.0 SP3 CR12 CA SiteMinder Federation (FSS) r6 CA SiteMinder Federation (FSS) r6 SP6 CR10 CA SiteMinder Federation (Standalone) 12.1 CA SiteMinder Federation (Standalone) 12.5 CA SiteMinder Federation (Standalone) 12.0 CA SiteMinder Federation (Standalone) 12.5 CA SiteMinder Agent for SharePoint 2010 CA SiteMinder Agent for SharePoint 2010 12.5.1 CA SiteMinder for Secure Proxy Server 12.5 CA SiteMinder for Secure Proxy Server 12.5 CR2 CA SiteMinder for Secure Proxy Server 12.0 CA SiteMinder for Secure Proxy Server 12.5 CR2 CA SiteMinder for Secure Proxy Server 6.0 CA SiteMinder for Secure Proxy Server 12.5 CR2 As the fix introduces additional checks on the validity of assertions and other signed XML messages, it is possible, although unlikely, that an existing partner may send assertions that fail the validity check. If this happens, we recommend that you have the partner fix the issue. If this is not possible, and you are willing to accept the risk of disabling enhanced signature validation, you can do the following: 1. Navigate to the xsw.properties file in one of the following locations: *If you see the error message in the smtracedefault.log file, go to fed_mgr_home/siteminder/config/properties *If you see the error message in the fwstrace.log, go to fed_mgr_home/secure-proxy/tomcat/webapps/affwebservices/web-INF/classes 2. Add the following settings to the xsw.properties file, and set each one to true. DisableXSWCheck=true This disables the signature vulnerability checks, and only applies on the policy server. DisableUniqueIDCheck=true This disables the duplicate ID check, and applies to both locations. This change should be made in both locations. Workaround Please note that SAML 1.1 and SAML 2.0 artifact transactions are not affected, as SSL transport layer security is used to protect the contents of the assertion. To reduce exposure when SAML 1.1 and SAML 2.0 POST are used, please ensure that assertions are both signed and encrypted, *and* the key used for signing the assertion has not been used to merely sign anything else that is publicly available (for example metadata). In that configuration, the assertions should not be vulnerable, as the encryption hides the signed block, and a potential attacker cannot get a valid signed XML block to use in the substitution attack. Given the difficulty in determining whether or not your signatures have been compromised we strongly recommend upgrading to address the vulnerability. References CVE-2013-2279 "On Breaking SAML: Be Whoever You Want to Be", USENIX Security 2012; Juraj Somorovsky, Andreas Mayer, Joerg Schwenk, Marco Kampmann, Meiko Jensen CA20130319-01: Security Notice for SiteMinder products using SAML https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at http://support.ca.com/ If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team: https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Regards, Kevin Kotas Director, CA Technologies Product Vulnerability Response Team Copyright (c) 2013 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Charset: utf-8 wsBVAwUBUUjib5I1FvIeMomJAQGtYwgAkE1ExBVI4lGkptHGugNY8wwejzlDzHN0 ef7J6F5t06j8eziTMeczaupH22ydFPkMC5iTmXWqafLzX4kmFGzISVIOlrdqFfdK nkACsZyzl2NogjgIa3fEp0ZpV1T7q+wSpyCnHYCDLr57BFn1a2ZBeQqqBfibye+A ZlyHGtEJnfS+H8/ZmS5voU/AliFwj3WOkaIvUFk5gK+tbzipkiQhdvoHPTSlIPZB +0VQpfVAGG2SVKXn4QTPz/zeY3/JX7SjA0Q9hLVuYe0acCPc+6Q8hGIRmfd7czEb G41+7S+EDdjJy3c5IzUc1FNvUZJ3IDpolH/jc9nyYgmYNzHvDtfv5A== =N0tz -----END PGP SIGNATURE-----

References:

https://support.ca.com/irj/portal/anonymous/phpsbpldgpg


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top