Vulnerabilities > CVE-2009-3474 - Cryptographic Issues vulnerability in Internet2 Opensaml, Shibboleth-Sp and Xmltooling
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
OpenSAML 2.x before 2.2.1 and XMLTooling 1.x before 1.2.1, as used by Internet2 Shibboleth Service Provider 2.x before 2.2.1, do not follow the KeyDescriptor element's Use attribute, which allows remote attackers to use a certificate for both signing and encryption when it is designated for just one purpose, potentially weakening the intended security application of the certificate.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1895.NASL description Several vulnerabilities have been discovered in the xmltooling packages, as used by Shibboleth : - Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). - Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. - Incorrect processing of SAML metadata ignores key usage constraints. This minor issue also needs a correction in the opensaml2 packages, which will be provided in an upcoming stable point release (and, before that, via stable-proposed-updates). last seen 2020-06-01 modified 2020-06-02 plugin id 44760 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44760 title Debian DSA-1895-1 : xmltooling - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1895. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(44760); script_version("1.10"); script_cvs_date("Date: 2019/08/02 13:32:22"); script_cve_id("CVE-2009-3474", "CVE-2009-3475"); script_bugtraq_id(36514, 36516); script_xref(name:"DSA", value:"1895"); script_name(english:"Debian DSA-1895-1 : xmltooling - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in the xmltooling packages, as used by Shibboleth : - Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). - Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. - Incorrect processing of SAML metadata ignores key usage constraints. This minor issue also needs a correction in the opensaml2 packages, which will be provided in an upcoming stable point release (and, before that, via stable-proposed-updates)." ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2009/dsa-1895" ); script_set_attribute( attribute:"solution", value: "Upgrade the xmltooling packages. For the stable distribution (lenny), these problems have been fixed in version 1.0-2+lenny1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(310); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xmltooling"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/09/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"5.0", prefix:"libxmltooling-dev", reference:"1.0-2+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libxmltooling-doc", reference:"1.0-2+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libxmltooling1", reference:"1.0-2+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"xmltooling-schemas", reference:"1.0-2+lenny1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1896.NASL description Several vulnerabilities have been discovered in the opensaml and shibboleth-sp packages, as used by Shibboleth 1.x : - Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). - Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. - Incorrect processing of SAML metadata ignored key usage constraints. last seen 2020-06-01 modified 2020-06-02 plugin id 44761 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44761 title Debian DSA-1896-1 : opensaml, shibboleth-sp - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1896. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(44761); script_version("1.10"); script_cvs_date("Date: 2019/08/02 13:32:22"); script_cve_id("CVE-2009-3474", "CVE-2009-3475"); script_bugtraq_id(36514, 36516); script_xref(name:"DSA", value:"1896"); script_name(english:"Debian DSA-1896-1 : opensaml, shibboleth-sp - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in the opensaml and shibboleth-sp packages, as used by Shibboleth 1.x : - Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). - Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. - Incorrect processing of SAML metadata ignored key usage constraints." ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2009/dsa-1896" ); script_set_attribute( attribute:"solution", value: "Upgrade the Shibboleth 1.x packages. For the old stable distribution (etch), these problems have been fixed in version 1.3f.dfsg1-2+etch1 of the shibboleth-sp packages, and version 1.1a-2+etch1 of the opensaml packages. For the stable distribution (lenny), these problems have been fixed in version 1.3.1.dfsg1-3+lenny1 of the shibboleth-sp packages, and version 1.1.1-2+lenny1 of the opensaml packages. This update requires restarting the affected services (mainly Apache) to become effective." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(310); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:opensaml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:shibboleth-sp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/09/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"libapache2-mod-shib", reference:"1.3f.dfsg1-2+etch1")) flag++; if (deb_check(release:"4.0", prefix:"libsaml-dev", reference:"1.1a-2+etch1")) flag++; if (deb_check(release:"4.0", prefix:"libsaml5", reference:"1.1a-2+etch1")) flag++; if (deb_check(release:"4.0", prefix:"libshib-dev", reference:"1.3f.dfsg1-2+etch1")) flag++; if (deb_check(release:"4.0", prefix:"libshib-target5", reference:"1.3f.dfsg1-2+etch1")) flag++; if (deb_check(release:"4.0", prefix:"libshib6", reference:"1.3f.dfsg1-2+etch1")) flag++; if (deb_check(release:"4.0", prefix:"opensaml-schemas", reference:"1.1a-2+etch1")) flag++; if (deb_check(release:"5.0", prefix:"libapache2-mod-shib", reference:"1.3.1.dfsg1-3+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libsaml-dev", reference:"1.1.1-2+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libsaml5", reference:"1.1.1-2+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libshib-dev", reference:"1.3.1.dfsg1-3+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libshib-target5", reference:"1.3.1.dfsg1-3+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"libshib6", reference:"1.3.1.dfsg1-3+lenny1")) flag++; if (deb_check(release:"5.0", prefix:"opensaml-schemas", reference:"1.1.1-2+lenny1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://secunia.com/advisories/36855
- http://secunia.com/advisories/36868
- http://secunia.com/advisories/36876
- http://shibboleth.internet2.edu/secadv/secadv_20090817a.txt
- http://www.debian.org/security/2009/dsa-1895
- http://www.debian.org/security/2009/dsa-1896
- http://www.securityfocus.com/bid/36516
- https://bugs.internet2.edu/jira/browse/CPPOST-28
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53474