Vulnerabilities > CVE-2009-3474 - Cryptographic Issues vulnerability in Internet2 Opensaml, Shibboleth-Sp and Xmltooling

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1895.NASL
    descriptionSeveral vulnerabilities have been discovered in the xmltooling packages, as used by Shibboleth : - Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). - Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. - Incorrect processing of SAML metadata ignores key usage constraints. This minor issue also needs a correction in the opensaml2 packages, which will be provided in an upcoming stable point release (and, before that, via stable-proposed-updates).
    last seen2020-06-01
    modified2020-06-02
    plugin id44760
    published2010-02-24
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/44760
    titleDebian DSA-1895-1 : xmltooling - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1895. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(44760);
      script_version("1.10");
      script_cvs_date("Date: 2019/08/02 13:32:22");
    
      script_cve_id("CVE-2009-3474", "CVE-2009-3475");
      script_bugtraq_id(36514, 36516);
      script_xref(name:"DSA", value:"1895");
    
      script_name(english:"Debian DSA-1895-1 : xmltooling - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the xmltooling
    packages, as used by Shibboleth :
    
      - Chris Ries discovered that decoding a crafted URL leads
        to a crash (and potentially, arbitrary code execution).
      - Ian Young discovered that embedded NUL characters in
        certificate names were not correctly handled, exposing
        configurations using PKIX trust validation to
        impersonation attacks.
    
      - Incorrect processing of SAML metadata ignores key usage
        constraints. This minor issue also needs a correction in
        the opensaml2 packages, which will be provided in an
        upcoming stable point release (and, before that, via
        stable-proposed-updates)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2009/dsa-1895"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the xmltooling packages.
    
    For the stable distribution (lenny), these problems have been fixed in
    version 1.0-2+lenny1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(310);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xmltooling");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/09/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"5.0", prefix:"libxmltooling-dev", reference:"1.0-2+lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"libxmltooling-doc", reference:"1.0-2+lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"libxmltooling1", reference:"1.0-2+lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"xmltooling-schemas", reference:"1.0-2+lenny1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1896.NASL
    descriptionSeveral vulnerabilities have been discovered in the opensaml and shibboleth-sp packages, as used by Shibboleth 1.x : - Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). - Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. - Incorrect processing of SAML metadata ignored key usage constraints.
    last seen2020-06-01
    modified2020-06-02
    plugin id44761
    published2010-02-24
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/44761
    titleDebian DSA-1896-1 : opensaml, shibboleth-sp - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1896. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(44761);
      script_version("1.10");
      script_cvs_date("Date: 2019/08/02 13:32:22");
    
      script_cve_id("CVE-2009-3474", "CVE-2009-3475");
      script_bugtraq_id(36514, 36516);
      script_xref(name:"DSA", value:"1896");
    
      script_name(english:"Debian DSA-1896-1 : opensaml, shibboleth-sp - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the opensaml and
    shibboleth-sp packages, as used by Shibboleth 1.x :
    
      - Chris Ries discovered that decoding a crafted URL leads
        to a crash (and potentially, arbitrary code execution).
      - Ian Young discovered that embedded NUL characters in
        certificate names were not correctly handled, exposing
        configurations using PKIX trust validation to
        impersonation attacks.
    
      - Incorrect processing of SAML metadata ignored key usage
        constraints."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2009/dsa-1896"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the Shibboleth 1.x packages.
    
    For the old stable distribution (etch), these problems have been fixed
    in version 1.3f.dfsg1-2+etch1 of the shibboleth-sp packages, and
    version 1.1a-2+etch1 of the opensaml packages.
    
    
    For the stable distribution (lenny), these problems have been fixed in
    version 1.3.1.dfsg1-3+lenny1 of the shibboleth-sp packages, and
    version 1.1.1-2+lenny1 of the opensaml packages.
    
    This update requires restarting the affected services (mainly Apache)
    to become effective."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(310);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:opensaml");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:shibboleth-sp");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/09/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"4.0", prefix:"libapache2-mod-shib", reference:"1.3f.dfsg1-2+etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"libsaml-dev", reference:"1.1a-2+etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"libsaml5", reference:"1.1a-2+etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"libshib-dev", reference:"1.3f.dfsg1-2+etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"libshib-target5", reference:"1.3f.dfsg1-2+etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"libshib6", reference:"1.3f.dfsg1-2+etch1")) flag++;
    if (deb_check(release:"4.0", prefix:"opensaml-schemas", reference:"1.1a-2+etch1")) flag++;
    if (deb_check(release:"5.0", prefix:"libapache2-mod-shib", reference:"1.3.1.dfsg1-3+lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"libsaml-dev", reference:"1.1.1-2+lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"libsaml5", reference:"1.1.1-2+lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"libshib-dev", reference:"1.3.1.dfsg1-3+lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"libshib-target5", reference:"1.3.1.dfsg1-3+lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"libshib6", reference:"1.3.1.dfsg1-3+lenny1")) flag++;
    if (deb_check(release:"5.0", prefix:"opensaml-schemas", reference:"1.1.1-2+lenny1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");