10:38 p.m.
Hello everyone,
I just received the following email with questions on the recent
vulnerabilities of pysaml2.
The news site is https://www.bleepingcomputer.com/
Should we answer?
and should we answer all questions?
Cheers,
PS: for those of you did not see our new page on the website, have a
look at the security section: https://idpy.org/security/
---------- Forwarded message ---------
From: Lawrence Abrams <labrams at bleepingcomputer.com>
Date: Wed, 20 Jan 2021 at 22:22
Subject: Press questions regarding the Pysaml2 vulnerability
To: <ivan.kanak at gmail.com>, <info at idpy.org>
I am a security reporter for the technology news site BleepingComputer.
In regards to your pysaml2 security advisory released today for
vulnerabilities CVE-2021-21238 and CVE-2021-21239.
1. Is it known if these vulnerabilities have been exploited in the
wild? If so, can you share how?
2. For CVE-2021-21238, would this allow an attacker to tamper a signed
file as long as the original legitimate signature is the first
keyvalue element?
3. For CVE-2021-21239, a signed document would be valid if the same
type of key is present in the document?
4. In what ways do you see these vulnerabilities being exploited and
are these critical enough that they should be updated immediately?
5. Finally, what other software/packages utilize pysaml2 ?
Thank you
Lawrence Abrams
BleepingComputer.com
--
Ivan c00kiemon5ter Kanakarakis >:3
11:17 a.m.
New subject: Fwd: Press questions regarding the Pysaml2 vulnerability
On 2021-01-20 21:38, Ivan Kanakarakis wrote:
Hello everyone,
I just received the following email with questions on the recent
vulnerabilities of pysaml2.
The news site is https://www.bleepingcomputer.com/
Should we answer?
and should we answer all questions?
I think we should answer but ask to see the writeup so you can help get the
details right.
Cheers,
PS: for those of you did not see our new page on the website, have a
look at the security section: https://idpy.org/security/
---------- Forwarded message ---------
From: Lawrence Abrams <labrams at bleepingcomputer.com>
Date: Wed, 20 Jan 2021 at 22:22
Subject: Press questions regarding the Pysaml2 vulnerability
To: <ivan.kanak at gmail.com>, <info at idpy.org>
I am a security reporter for the technology news site BleepingComputer.
In regards to your pysaml2 security advisory released today for
vulnerabilities CVE-2021-21238 and CVE-2021-21239.
1. Is it known if these vulnerabilities have been exploited in the
wild? If so, can you share how?
2. For CVE-2021-21238, would this allow an attacker to tamper a signed
file as long as the original legitimate signature is the first
keyvalue element?
3. For CVE-2021-21239, a signed document would be valid if the same
type of key is present in the document?
4. In what ways do you see these vulnerabilities being exploited and
are these critical enough that they should be updated immediately?
5. Finally, what other software/packages utilize pysaml2 ?
Thank you
Lawrence Abrams
BleepingComputer.com
--
Ivan c00kiemon5ter Kanakarakis >:3
_______________________________________________
Idpy-board mailing list
Idpy-board at lists.sunet.se
https://lists.sunet.se/listinfo/idpy-board
12:56 p.m.
Hello,
On Thu, 21 Jan 2021 at 11:17, Leif Johansson <leifj at sunet.se> wrote:
On 2021-01-20 21:38, Ivan Kanakarakis wrote:
This sounds like a better strategy. Below, I am answering the email
and questions to kickstart this process.
I am skeptical if we should answer the last question.
Hello everyone,
I just received the following email with questions on the recent
vulnerabilities of pysaml2.
The news site is https://www.bleepingcomputer.com/
Should we answer?
and should we answer all questions?
I think we should answer but ask to see the writeup so you can help get the
details right.
>
>
> Cheers,
>
>
> PS: for those of you did not see our new page on the website, have a
> look at the security section: https://idpy.org/security/
>
>
> ---------- Forwarded message ---------
> From: Lawrence Abrams <labrams at bleepingcomputer.com>
> Date: Wed, 20 Jan 2021 at 22:22
> Subject: Press questions regarding the Pysaml2 vulnerability
> To: <ivan.kanak at gmail.com>, <info at idpy.org>
>
>
> I am a security reporter for the technology news site BleepingComputer.
>
Hello Lawrence,
we are happy to answer these questions. Vulnerabilities, and security
in general, is a sensitive topic and we would like to make sure all
the details are right. Therefore, we would like to see the writeup
before it goes public. Is this possible?
> In regards to your pysaml2 security advisory
released today for
> vulnerabilities CVE-2021-21238 and CVE-2021-21239.
>
> 1. Is it known if these vulnerabilities have been exploited in the
> wild? If so, can you share how?
>
There is no known exploitation based on those vulnerabilities. The
issues were reported directly to the IdentityPython incident-response
mailing list by researchers and users of the library. The incidents
did not become known because of an exploitation, but because the
reporters studied and analysed the code.
> 2. For CVE-2021-21238, would this allow an
attacker to tamper a signed
> file as long as the original legitimate signature is the first
> keyvalue element?
>
By default, PySAML2 uses xmlsec1 as a backend to sign and verify
signed XML documents and specifically, signatures on SAML Response
elements and Assertion elements.
The original legitimate signature cannot be the first element, because
this is against the schema of SAML Response or Assertion. However, the
way xmlsec1 works, is that given a scope it will validate the first
signature within that scope. This allows an attacker to manipulate the
document and inject a node with a valid signature before the Signature
element of the Response or Assertion elements. This invalidates the
structural consistency of the document. The way to prevent this issue
is to ensure that the document is structurally valid, by validating it
against the proper schema. If that property holds, the first signature
within the given scope will always be the Signature element that will
be verified by xmlsec1.
> 3. For CVE-2021-21239, a signed document would be
valid if the same
> type of key is present in the document?
>
The XML Digital Signature specification defines multiple types of
signatures and mechanisms to sign a given document. xmlsec1 is a
generic tool that implements all of those types and mechanisms. The
SAML core specification, however, defines constrains on how documents
are signed and verified. xmlsec1 needs to be configured to match those
constrains. This is now in place; previously, an attacker could
substitute the default mechanism used to sign the document and trick
the verification process.
> 4. In what ways do you see these vulnerabilities
being exploited and
> are these critical enough that they should be updated immediately?
>
An entity that receives a signed document and verifies its signature
allows the data on the document to be trusted by that entity. In
itself, this is not enough to exploit a system, but it does open a
door for attackers to brute force their way in. An attacker would have
to know or guess the right attributes of a subject in order to gain
access to the system. To gain privileged access to a system, the
attacker would have to know even more, in particular how the system's
authorization mechanism works and trick that to gain elevated access
rights - which mechanisms are triggered, what values need to be in
place, and align all those for a successful bypass.
Even though this might not be considered critical, we do urge everyone
to update immediately.
> 5. Finally, what other software/packages utilize
pysaml2 ?
>
[To the board] I am not sure we should answer this. This sounds like
pointing fingers. We know some users of the library, and some are
visible on GitHub (see,
https://github.com/IdentityPython/pysaml2/network/dependents) I think
answering this, puts pressure on those projects.
Cheers,
--
Ivan c00kiemon5ter Kanakarakis >:3
12:36 p.m.
New subject: Fwd: Press questions regarding the Pysaml2 vulnerability
On 2021-01-21 11:56, Ivan Kanakarakis wrote:
Hello,
On Thu, 21 Jan 2021 at 11:17, Leif Johansson <leifj at sunet.se> wrote:
Good answers. I don't think we should claim to provide a complete list of all
software packages but there is no harm in saying that we know of several (list)
and these were part of the initial notification process to prepare them for
new relase
Cheers Leif
On 2021-01-20 21:38, Ivan Kanakarakis wrote:
This sounds like a better strategy. Below, I am answering the email
and questions to kickstart this process.
I am skeptical if we should answer the last question. Hello everyone,
I just received the following email with questions on the recent
vulnerabilities of pysaml2.
The news site is https://www.bleepingcomputer.com/
Should we answer?
and should we answer all questions?
I think we should answer but ask to see the writeup so you can help get the
details right.
>
>
> Cheers,
>
>
> PS: for those of you did not see our new page on the website, have a
> look at the security section: https://idpy.org/security/
>
>
> ---------- Forwarded message ---------
> From: Lawrence Abrams <labrams at bleepingcomputer.com>
> Date: Wed, 20 Jan 2021 at 22:22
> Subject: Press questions regarding the Pysaml2 vulnerability
> To: <ivan.kanak at gmail.com>, <info at idpy.org>
>
>
> I am a security reporter for the technology news site BleepingComputer.
>
Hello Lawrence,
we are happy to answer these questions. Vulnerabilities, and security
in general, is a sensitive topic and we would like to make sure all
the details are right. Therefore, we would like to see the writeup
before it goes public. Is this possible?
> In regards to your pysaml2 security advisory
released today for
> vulnerabilities CVE-2021-21238 and CVE-2021-21239.
>
> 1. Is it known if these vulnerabilities have been exploited in the
> wild? If so, can you share how?
>
There is no known exploitation based on those vulnerabilities. The
issues were reported directly to the IdentityPython incident-response
mailing list by researchers and users of the library. The incidents
did not become known because of an exploitation, but because the
reporters studied and analysed the code.
> 2. For CVE-2021-21238, would this allow an
attacker to tamper a signed
> file as long as the original legitimate signature is the first
> keyvalue element?
>
By default, PySAML2 uses xmlsec1 as a backend to sign and verify
signed XML documents and specifically, signatures on SAML Response
elements and Assertion elements.
The original legitimate signature cannot be the first element, because
this is against the schema of SAML Response or Assertion. However, the
way xmlsec1 works, is that given a scope it will validate the first
signature within that scope. This allows an attacker to manipulate the
document and inject a node with a valid signature before the Signature
element of the Response or Assertion elements. This invalidates the
structural consistency of the document. The way to prevent this issue
is to ensure that the document is structurally valid, by validating it
against the proper schema. If that property holds, the first signature
within the given scope will always be the Signature element that will
be verified by xmlsec1.
> 3. For CVE-2021-21239, a signed document
would be valid if the same
> type of key is present in the document?
>
The XML Digital Signature specification defines multiple types of
signatures and mechanisms to sign a given document. xmlsec1 is a
generic tool that implements all of those types and mechanisms. The
SAML core specification, however, defines constrains on how documents
are signed and verified. xmlsec1 needs to be configured to match those
constrains. This is now in place; previously, an attacker could
substitute the default mechanism used to sign the document and trick
the verification process.
> 4. In what ways do you see these
vulnerabilities being exploited and
> are these critical enough that they should be updated immediately?
>
An entity that receives a signed document and verifies its signature
allows the data on the document to be trusted by that entity. In
itself, this is not enough to exploit a system, but it does open a
door for attackers to brute force their way in. An attacker would have
to know or guess the right attributes of a subject in order to gain
access to the system. To gain privileged access to a system, the
attacker would have to know even more, in particular how the system's
authorization mechanism works and trick that to gain elevated access
rights - which mechanisms are triggered, what values need to be in
place, and align all those for a successful bypass.
Even though this might not be considered critical, we do urge everyone
to update immediately.
> 5. Finally, what other software/packages
utilize pysaml2 ?
>
[To the board] I am not sure we should answer this. This sounds like
pointing fingers. We know some users of the library, and some are
visible on GitHub (see,
https://github.com/IdentityPython/pysaml2/network/dependents) I think
answering this, puts pressure on those projects.
Cheers,
--
Ivan c00kiemon5ter Kanakarakis >:3
1427
days inactive
1432
days old
3 comments
2 participants
participants (2)
-
ivan.kanak@gmail.com -
leifj@sunet.se