Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate vulnerability affecting other CAS clients #79

Open
clifton opened this issue Aug 11, 2014 · 0 comments
Open

Investigate vulnerability affecting other CAS clients #79

clifton opened this issue Aug 11, 2014 · 0 comments

Comments

@clifton
Copy link

clifton commented Aug 11, 2014

I've quoted the email below from the CAS mailing list.

From: Marvin Addison [email protected]
Subject: [cas-announce] CAS Client Security Vulnerability CVE-2014-4172
Date: August 11, 2014 at 11:03:48 AM CDT
To: [email protected]

A critical security vulnerability has been discovered in several Jasig
CAS clients that allows URL parameter injection due to improper URL
encoding at the back-channel ticket validation step of the CAS
protocol. The following CVE number has been assigned to track this
vulnerability:

CVE-2014-4172

Affected Software

Jasig Java CAS Client
Vulnerable versions: <3.3.2
Fix version: 3.3.2, http://search.maven.org/#browse%7C1586013685

.NET CAS Client
Vulnerable versions: <1.0.2
Fix version: 1.0.2,
http://downloads.jasig.org/cas-clients/dotnet/dotnet-client-1.0.2-bin.zip

phpCAS
Vulnerable versions: <1.3.3
Fix version: 1.3.3,
http://downloads.jasig.org/cas-clients/php/1.3.3/CAS-1.3.3.tgz

There may be other CAS clients that are vulnerable.

Impact

The nature of the vulnerability allows malicious remote (network)
agents to craft attack URLs that bypass security constraints of the
CAS protocol. The following attack scenarios are known and have been
demonstrated:

  1. A malicious service that can obtain a valid ticket can use it to
    access another service in violation of the CAS protocol requirement
    that a ticket issued for a service can only be used to access the
    service for which the ticket was granted. This type of access amounts
    to an illicit proxy: the attacker is proxying authentication for the
    target.
  2. A malicious user can request a ticket for service A and use it to
    access service B with the access privileges of A.

Attacks like scenario 1 could result in unauthorized data disclosure,
while scenario 2 could result in privilege escalation. Other attack
scenarios may be possible.

Remediation

Upgrade affected CAS clients as soon as possible. Consider mitigation
if upgrading is not possible.

Mitigation

The CAS Service Management facility [1], which is enabled by default,
can be used to restrict services that are permitted to use CAS (i.e.
allowed to request tickets). Whitelisting trusted services can reduce
the scope of attacks like scenario 1 above.

The following servlet filter may provide additional defense at the CAS
server against some forms of this attack:

https://github.com/Jasig/cas-server-security-filter/tree/cas-server-security-filter-1.0.0

Best,
Marvin Addison
CAS Developer

[1] http://jasig.github.io/cas/4.0.0/installation/Service-Management.html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@clifton