Shibboleth SP Open Redirect vulnerability affecting Logout Handler: TLP:CLEAR

Posted on Tuesday, 10 January 2023

The UK federation team are asking you to be aware of Open Redirect vulnerabilities.

We have been working with operators of Shibboleth SP software who, because of a default in some releases of the software, have an Open Redirect vulnerability affecting the SP’s Logout Handler. A significant number of these Service Providers (SPs) have now corrected their configuration. However, a number remain with the vulnerability. If we have previously contacted you, this is a reminder to test and fix your deployments.

We are using the Traffic Light Protocol [TLP] rating for this vulnerability. We have now moved to the category TLP:CLEAR. Please refer to https://www.first.org/tlp/#TLP-definitions for more information.

For the UK federation community at large: we want to help you resolve this vulnerability pro-actively.

  1. For Identity Provider (IdP) operators, please examine any SPs you have 1:1 or bi-lateral metadata exchange with to ensure that they do not have any mechanism that could create an Open Redirect. This is particularly the case for Shibboleth SP software and its Logout handler, although other software could be similarly affected. Note: this is unrelated to the software used in your IdP, so applies to all organisations with an IdP in the UK federation, or in fact any organisation running an IdP.
  2. For Service Provider (SP) operators, please examine your SPs, not just in the context of the UK federation, but also in the context of your other customers who you may have a 1:1 or bi-lateral metadata exchange with, or where you operate in other federations. Note: we communicated via eduGAIN security whilst at TLP:AMBER with other federations across the world.

What is an Open Redirect vulnerability?

"A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks."

From: https://cwe.mitre.org/data/definitions/601.html

A phishing attack has been observed which involves using this Open Redirect vulnerability in another Shibboleth SP using a chained attack, which has been used to confuse and instill a false "trust" to recipients.

Why are Jisc and the UK federation asking you to change your configuration?

We are asking you to change your configuration to ensure that this vulnerability cannot be used in a phishing attack against end users in the UK federation and within the UK academic community.

When do I need to make the change?

You should make the change as soon as your internal change control allows for such a change to take place.

How do I reconfigure my service provider?

The Shibboleth Service Provider (SP) in a previous default configuration has an Open Redirect vulnerability.

You will need to ensure the redirectLimit configuration option in the SP’s Logout Handler restricts the locations that a HTTP redirect can go to.

The default configuration is none; we are strongly advising you to change to a different configuration. We would recommend using exact or host.

If you have a more complex configuration then you may need to use allow, exact+allow or host+allow; this would need to be in conjunction with redirectAllow.

The redirectLimit configuration is described in the Shibboleth SP 3 Sessions documentation page.

Note: the syntax of the configuration parameter has altered in v3.2 of the SP, with earlier versions of the SP using the term whitelist rather than allow.

Note: If your SP uses ApplicationOverrides we recommend you set this in the ApplicationDefaults, and not set redirectLimit elsewhere in the configuration.

The only officially supported release of the Shibboleth SP is the latest, v3.4.0.

How do I reproduce and test for the vulnerability?

Please contact the UK federation support desk for information about how to reproduce and test for the vulnerability.

Who has Jisc shared this information with?

As part of our responsible disclosure policy, we have already shared information under TLP:AMBER with some deployers of Shibboleth SP software, with other federation operators in eduGAIN, and with the Shibboleth project. The first communications under TLP:AMBER were on 24 November 2022.

After moving to TLP:GREEN we shared the information with the UK-SECURITY mailing list.

We are now publicising this information on the UK federation website under TLP:CLEAR so that IdP operators who use the Shibboleth SP outside the UK federation (for example in internal systems) can secure their systems and work with their suppliers where appropriate.

Where can you receive support?

As operator of an identity provider or service provider registered in the UK federation you can contact the UK federation support desk for support. Edited by SaraHopkins on 10 January 2023, at 01:33 PM