Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

shibboleth-sp: CVE-2021-31826: Session recovery feature contains a null pointer deference

Related Vulnerabilities: CVE-2021-31826  

Source

Debian Bug report logs - #987608
shibboleth-sp: CVE-2021-31826: Session recovery feature contains a null pointer deference

version graph

Package: src:shibboleth-sp; Maintainer for src:shibboleth-sp is Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>;

Reported by: Ferenc Wágner <wferi@debian.org>

Date: Mon, 26 Apr 2021 13:21:02 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in versions shibboleth-sp/3.0.4+dfsg1-1+deb10u1, shibboleth-sp/3.0.4+dfsg1-1, shibboleth-sp/3.0.2+dfsg1-1, shibboleth-sp/3.2.1+dfsg1-1

Forwarded to https://issues.shibboleth.net/jira/browse/SSPCPP-927

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>:
Bug#987608; Package src:shibboleth-sp. (Mon, 26 Apr 2021 13:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Ferenc Wágner <wferi@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>. (Mon, 26 Apr 2021 13:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ferenc Wágner <wferi@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: shibboleth-sp: Session recovery feature contains a null pointer deference
Date: Mon, 26 Apr 2021 15:16:14 +0200
Source: shibboleth-sp
Version: 3.0.2+dfsg1-1
Severity: important
Tags: upstream patch security
Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-927

Shibboleth Service Provider Security Advisory [26 April 2021]

An updated version of the Service Provider software is now
available which corrects a denial of service vulnerability.

Session recovery feature contains a null pointer deference
======================================================================
The cookie-based session recovery feature added in V3.0 contains a
flaw that is exploitable on systems *not* using the feature if a
specially crafted cookie is supplied.

This manifests as a crash in the shibd daemon/service process.

Because it is very simple to trigger this condition remotely, it
results in a potential denial of service condition exploitable by
a remote, unauthenticated attacker.

Versions without this feature (prior to V3.0) are not vulnerable
to this particular issue.

Recommendations
===============
Update to V3.2.2 or later of the Service Provider software, which
is now available.

In cases where this is not immediately possible, configuring a
DataSealer component in shibboleth4.xml (even if used for nothing)
will work around the vulnerability.

For example:

<DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />

This workaround is only possible after having updated the
core configuration to the V3 XML namespace.

Other Notes
===========
The cpp-sp git commit containing the fix for this issue is
5a47c3b9378f4c49392dd4d15189b70956f9f2ec


URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20210426.txt

Marked as found in versions shibboleth-sp/3.0.4+dfsg1-1+deb10u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 26 Apr 2021 15:21:23 GMT) (full text, mbox, link).

Marked as found in versions shibboleth-sp/3.0.4+dfsg1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 26 Apr 2021 15:21:23 GMT) (full text, mbox, link).

Marked as found in versions shibboleth-sp/3.2.1+dfsg1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 26 Apr 2021 15:21:24 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>:
Bug#987608; Package src:shibboleth-sp. (Mon, 26 Apr 2021 19:21:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>. (Mon, 26 Apr 2021 19:21:06 GMT) (full text, mbox, link).

Message #16 received at 987608@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Ferenc Wágner <wferi@debian.org>, 987608@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#987608: shibboleth-sp: Session recovery feature contains a null pointer deference
Date: Mon, 26 Apr 2021 21:19:16 +0200
Hi Ferenc,

On Mon, Apr 26, 2021 at 03:16:14PM +0200, Ferenc Wágner wrote:
> Source: shibboleth-sp
> Version: 3.0.2+dfsg1-1
> Severity: important
> Tags: upstream patch security
> Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-927
> 
> Shibboleth Service Provider Security Advisory [26 April 2021]
> 
> An updated version of the Service Provider software is now
> available which corrects a denial of service vulnerability.
> 
> Session recovery feature contains a null pointer deference
> ======================================================================
> The cookie-based session recovery feature added in V3.0 contains a
> flaw that is exploitable on systems *not* using the feature if a
> specially crafted cookie is supplied.
> 
> This manifests as a crash in the shibd daemon/service process.
> 
> Because it is very simple to trigger this condition remotely, it
> results in a potential denial of service condition exploitable by
> a remote, unauthenticated attacker.
> 
> Versions without this feature (prior to V3.0) are not vulnerable
> to this particular issue.
> 
> Recommendations
> ===============
> Update to V3.2.2 or later of the Service Provider software, which
> is now available.
> 
> In cases where this is not immediately possible, configuring a
> DataSealer component in shibboleth4.xml (even if used for nothing)
> will work around the vulnerability.
> 
> For example:
> 
> <DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />
> 
> This workaround is only possible after having updated the
> core configuration to the V3 XML namespace.
> 
> Other Notes
> ===========
> The cpp-sp git commit containing the fix for this issue is
> 5a47c3b9378f4c49392dd4d15189b70956f9f2ec
> 
> 
> URL for this Security Advisory:
> https://shibboleth.net/community/advisories/secadv_20210426.txt

Raising the severity to RC as I think this should go into bullseye and
the fix is targetted possible. Let me though know if you disagree on
this.

Regards,
Salvatore

Severity set to 'grave' from 'important' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 26 Apr 2021 19:21:08 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 26 Apr 2021 19:21:09 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>:
Bug#987608; Package src:shibboleth-sp. (Tue, 27 Apr 2021 05:15:02 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>. (Tue, 27 Apr 2021 05:15:02 GMT) (full text, mbox, link).

Message #25 received at 987608@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Ferenc W??gner <wferi@debian.org>, 987608@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Re: Bug#987608: shibboleth-sp: Session recovery feature contains a null pointer deference
Date: Tue, 27 Apr 2021 07:13:43 +0200
Control: retitle -1 shibboleth-sp: CVE-2021-31826: Session recovery feature contains a null pointer deference

Hi,

On Mon, Apr 26, 2021 at 03:16:14PM +0200, Ferenc W??gner wrote:
> Source: shibboleth-sp
> Version: 3.0.2+dfsg1-1
> Severity: important
> Tags: upstream patch security
> Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-927
> 
> Shibboleth Service Provider Security Advisory [26 April 2021]
> 
> An updated version of the Service Provider software is now
> available which corrects a denial of service vulnerability.
> 
> Session recovery feature contains a null pointer deference
> ======================================================================
> The cookie-based session recovery feature added in V3.0 contains a
> flaw that is exploitable on systems *not* using the feature if a
> specially crafted cookie is supplied.
> 
> This manifests as a crash in the shibd daemon/service process.
> 
> Because it is very simple to trigger this condition remotely, it
> results in a potential denial of service condition exploitable by
> a remote, unauthenticated attacker.
> 
> Versions without this feature (prior to V3.0) are not vulnerable
> to this particular issue.
> 
> Recommendations
> ===============
> Update to V3.2.2 or later of the Service Provider software, which
> is now available.
> 
> In cases where this is not immediately possible, configuring a
> DataSealer component in shibboleth4.xml (even if used for nothing)
> will work around the vulnerability.
> 
> For example:
> 
> <DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />
> 
> This workaround is only possible after having updated the
> core configuration to the V3 XML namespace.
> 
> Other Notes
> ===========
> The cpp-sp git commit containing the fix for this issue is
> 5a47c3b9378f4c49392dd4d15189b70956f9f2ec

MITRE has assigned CVE-2021-31826 for this issue.

Regards,
Salvatore

Changed Bug title to 'shibboleth-sp: CVE-2021-31826: Session recovery feature contains a null pointer deference' from 'shibboleth-sp: Session recovery feature contains a null pointer deference'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 987608-submit@bugs.debian.org. (Tue, 27 Apr 2021 05:15:02 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>:
Bug#987608; Package src:shibboleth-sp. (Tue, 27 Apr 2021 06:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to wferi@debian.org:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>. (Tue, 27 Apr 2021 06:21:03 GMT) (full text, mbox, link).

Message #32 received at 987608@bugs.debian.org (full text, mbox, reply):

From: wferi@debian.org
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: Ferenc Wágner <wferi@debian.org>, 987608@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#987608: shibboleth-sp: Session recovery feature contains a null pointer deference
Date: Tue, 27 Apr 2021 08:16:52 +0200
Salvatore Bonaccorso <carnil@debian.org> writes:

> MITRE has assigned CVE-2021-31826 for this issue.

Thanks.  I guess you don't want a new security upload for this, but I'll
certainly include it in the changelog of the unstable upload.  (And in
the changelog of the next security upload, whenever that happens.)
-- 
Feri

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>:
Bug#987608; Package src:shibboleth-sp. (Tue, 27 Apr 2021 06:48:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Shib Team <pkg-shibboleth-devel@alioth-lists.debian.net>. (Tue, 27 Apr 2021 06:48:03 GMT) (full text, mbox, link).

Message #37 received at 987608@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: wferi@debian.org
Cc: 987608@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#987608: shibboleth-sp: Session recovery feature contains a null pointer deference
Date: Tue, 27 Apr 2021 08:46:22 +0200
Hi

On Tue, Apr 27, 2021 at 08:16:52AM +0200, wferi@debian.org wrote:
> Salvatore Bonaccorso <carnil@debian.org> writes:
> 
> > MITRE has assigned CVE-2021-31826 for this issue.
> 
> Thanks.  I guess you don't want a new security upload for this, but I'll
> certainly include it in the changelog of the unstable upload.  (And in
> the changelog of the next security upload, whenever that happens.)

Yes exactly, there is no need to reject the package and reupload with
the CVE identifier added, it is all enough how it is so far, we will
just add it the the DSA itself.

So all fine.

Regards,
Salvatore

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Apr 27 08:07:46 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started