Security Advisories for Shibboleth Service Providers in the UK federation: first advisory

Posted on Monday, 17 August 2009

The issue described by this advisory could potentially be exploited to allow an attacker to impersonate almost any identity provider within the UK federation. This would require the attacker to have persuaded one of the certification authorities trusted by the UK federation to have issued a certificate with a specially constructed invalid name.

Although we regard this as very unlikely to have happened, it is unfortunately not possible for us to be certain that no such certificates have ever been issued. We therefore strongly recommend that all deployed Shibboleth service providers be upgraded to the patch releases issued today for both the 1.3 and 2.x versions and that a corresponding upgrade for the libcurl package be acquired for the host operating system.

The Shibboleth identity provider software is not believed to be vulnerable to these issues. However, many other packages (in particular those written in C or C++) are known to be either directly vulnerable to similar problems, or vulnerable indirectly through library packages on which they depend. If you are running other SAML implementations which you believe may be vulnerable, we recommend contacting your vendor for information about "certificate null character spoofing".

Edited by SteveGlover on 12 May 2010, at 02:58 PM