A critical security vulnerability has been discovered in several Jasig CAS clients that allows URL parameter injection due to improper URL encoding at the back-channel ticket validation step of the CAS protocol. The following CVE number has been assigned to track this vulnerability:
CVE-2014-4172 Affected Software ---------------------------------------- Jasig Java CAS Client Vulnerable versions: <3.3.2 Fix version: 3.3.2, http://search.maven.org/#browse%7C1586013685 .NET CAS Client Vulnerable versions: <1.0.2 Fix version: 1.0.2, http://downloads.jasig.org/cas-clients/dotnet/dotnet-client-1.0.2-bin.zip phpCAS Vulnerable versions: <1.3.3 Fix version: 1.3.3, http://downloads.jasig.org/cas-clients/php/1.3.3/CAS-1.3.3.tgz There may be other CAS clients that are vulnerable. Impact ---------------------------------------- The nature of the vulnerability allows malicious remote (network) agents to craft attack URLs that bypass security constraints of the CAS protocol. The following attack scenarios are known and have been demonstrated: 1. A malicious service that can obtain a valid ticket can use it to access another service in violation of the CAS protocol requirement that a ticket issued for a service can only be used to access the service for which the ticket was granted. This type of access amounts to an illicit proxy: the attacker is proxying authentication for the target. 2. A malicious user can request a ticket for service A and use it to access service B with the access privileges of A. Attacks like scenario 1 could result in unauthorized data disclosure, while scenario 2 could result in privilege escalation. Other attack scenarios may be possible. Remediation ---------------------------------------- Upgrade affected CAS clients as soon as possible. Consider mitigation if upgrading is not possible. Mitigation ---------------------------------------- The CAS Service Management facility [1], which is enabled by default, can be used to restrict services that are permitted to use CAS (i.e. allowed to request tickets). Whitelisting trusted services can reduce the scope of attacks like scenario 1 above. The following servlet filter may provide additional defense at the CAS server against some forms of this attack: https://github.com/Jasig/cas-server-security-filter/tree/cas-server-security-filter-1.0.0 Best, Marvin Addison CAS Developer [1] http://jasig.github.io/cas/4.0.0/installation/Service-Management.html -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
