rubycas / rubycas-client

Ruby client for Yale's Central Authentication Service protocol -- an open source enterprise single sign on system for web applications.
http://code.google.com/p/rubycas-client/
Other
332 stars 217 forks source link

Investigate vulnerability affecting other CAS clients #79

Open clifton opened 10 years ago

clifton commented 10 years ago

I've quoted the email below from the CAS mailing list.

From: Marvin Addison marvin.addison@gmail.com Subject: [cas-announce] CAS Client Security Vulnerability CVE-2014-4172 Date: August 11, 2014 at 11:03:48 AM CDT To: cas-announce@lists.ja-sig.org

A critical security vulnerability has been discovered in several Jasig CAS clients that allows URL parameter injection due to improper URL encoding at the back-channel ticket validation step of the CAS protocol. The following CVE number has been assigned to track this vulnerability:

CVE-2014-4172

Affected Software

Jasig Java CAS Client Vulnerable versions: <3.3.2 Fix version: 3.3.2, http://search.maven.org/#browse%7C1586013685

.NET CAS Client Vulnerable versions: <1.0.2 Fix version: 1.0.2, http://downloads.jasig.org/cas-clients/dotnet/dotnet-client-1.0.2-bin.zip

phpCAS Vulnerable versions: <1.3.3 Fix version: 1.3.3, http://downloads.jasig.org/cas-clients/php/1.3.3/CAS-1.3.3.tgz

There may be other CAS clients that are vulnerable.

Impact

The nature of the vulnerability allows malicious remote (network) agents to craft attack URLs that bypass security constraints of the CAS protocol. The following attack scenarios are known and have been demonstrated:

  1. A malicious service that can obtain a valid ticket can use it to access another service in violation of the CAS protocol requirement that a ticket issued for a service can only be used to access the service for which the ticket was granted. This type of access amounts to an illicit proxy: the attacker is proxying authentication for the target.
  2. A malicious user can request a ticket for service A and use it to access service B with the access privileges of A.

Attacks like scenario 1 could result in unauthorized data disclosure, while scenario 2 could result in privilege escalation. Other attack scenarios may be possible.

Remediation

Upgrade affected CAS clients as soon as possible. Consider mitigation if upgrading is not possible.

Mitigation

The CAS Service Management facility [1], which is enabled by default, can be used to restrict services that are permitted to use CAS (i.e. allowed to request tickets). Whitelisting trusted services can reduce the scope of attacks like scenario 1 above.

The following servlet filter may provide additional defense at the CAS server against some forms of this attack:

https://github.com/Jasig/cas-server-security-filter/tree/cas-server-security-filter-1.0.0

Best, Marvin Addison CAS Developer

[1] http://jasig.github.io/cas/4.0.0/installation/Service-Management.html