Shibboleth Identity Provider LDAPS Hostname Validation Security Bypass Vulnerability

Bugtraq ID:	53178
Class:	Design Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 20 2012 12:00AM
Updated:	Apr 20 2012 12:00AM
Credit:	Scott Cantor
Vulnerable:	Shibbolet Shibbolet 2.2.1 Shibbolet Shibbolet 1.3.5 Shibbolet Shibbolet 2.3.5 Shibbolet Shibbolet 2.3 Shibbolet Shibbolet 2.2 Shibbolet Shibbolet 2.1 Shibbolet Shibbolet 2.0 Shibbolet Shibbolet 1.3 Shibbolet Shibbolet 1.2 Shibbolet Shibbolet 1.1 Shibbolet Shibbolet 1.0
Not Vulnerable:	Shibbolet Shibbolet 2.3.6

Shibboleth Identity Provider LDAPS Hostname Validation Security Bypass Vulnerability

Shibboleth is prone to a security-bypass vulnerability.

Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks.

Shibboleth versions prior to 2.3.6 are vulnerable.

Shibboleth Identity Provider LDAPS Hostname Validation Security Bypass Vulnerability

An attacker can use readily available network utilities to exploit this issue.

Shibboleth Identity Provider LDAPS Hostname Validation Security Bypass Vulnerability

Solution:
Updates are available. Please see the references for more details.

Shibboleth Identity Provider LDAPS Hostname Validation Security Bypass Vulnerability

References:

• Identity Provider LDAPS Connections Do Not Perform Hostname Verification (Shibboleth)
  
• Shibboleth Homepage (Chris Ries)