Investigate vulnerability affecting other CAS clients #79
Description
I've quoted the email below from the CAS mailing list.
From: Marvin Addison marvin.addison@gmail.com
Subject: [cas-announce] CAS Client Security Vulnerability CVE-2014-4172
Date: August 11, 2014 at 11:03:48 AM CDT
To: cas-announce@lists.ja-sig.orgA critical security vulnerability has been discovered in several Jasig
CAS clients that allows URL parameter injection due to improper URL
encoding at the back-channel ticket validation step of the CAS
protocol. The following CVE number has been assigned to track this
vulnerability:CVE-2014-4172
Affected Software
Jasig Java CAS Client
Vulnerable versions: <3.3.2
Fix version: 3.3.2, http://search.maven.org/#browse%7C1586013685.NET CAS Client
Vulnerable versions: <1.0.2
Fix version: 1.0.2,
http://downloads.jasig.org/cas-clients/dotnet/dotnet-client-1.0.2-bin.zipphpCAS
Vulnerable versions: <1.3.3
Fix version: 1.3.3,
http://downloads.jasig.org/cas-clients/php/1.3.3/CAS-1.3.3.tgzThere may be other CAS clients that are vulnerable.
Impact
The nature of the vulnerability allows malicious remote (network)
agents to craft attack URLs that bypass security constraints of the
CAS protocol. The following attack scenarios are known and have been
demonstrated:
- A malicious service that can obtain a valid ticket can use it to
access another service in violation of the CAS protocol requirement
that a ticket issued for a service can only be used to access the
service for which the ticket was granted. This type of access amounts
to an illicit proxy: the attacker is proxying authentication for the
target.- A malicious user can request a ticket for service A and use it to
access service B with the access privileges of A.Attacks like scenario 1 could result in unauthorized data disclosure,
while scenario 2 could result in privilege escalation. Other attack
scenarios may be possible.Remediation
Upgrade affected CAS clients as soon as possible. Consider mitigation
if upgrading is not possible.Mitigation
The CAS Service Management facility [1], which is enabled by default,
can be used to restrict services that are permitted to use CAS (i.e.
allowed to request tickets). Whitelisting trusted services can reduce
the scope of attacks like scenario 1 above.The following servlet filter may provide additional defense at the CAS
server against some forms of this attack:https://github.com/Jasig/cas-server-security-filter/tree/cas-server-security-filter-1.0.0
Best,
Marvin Addison
CAS Developer[1] http://jasig.github.io/cas/4.0.0/installation/Service-Management.html