phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server. The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to "^(https)://.*") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied. This vulnerability may allow an attacker to gain access to a victim's account on a vulnerable CASified service without victim's knowledge, when the victim visits attacker's website while being logged in to the same CAS server. phpCAS 1.6.0 is a major version upgrade that starts enforcing service URL discovery validation, because there is unfortunately no 100% safe default config to use in PHP. Starting this version, it is required to pass in an additional service base URL argument when constructing the client class. For more information, please refer to the upgrading doc. This vulnerability only impacts the CAS client that the phpCAS library protects against. The problematic service URL discovery behavior in phpCAS < 1.6.0 will only be disabled, and thus you are not impacted from it, if the phpCAS configuration has the following setup: 1. `phpCAS::setUrl()` is called (a reminder that you have to pass in the full URL of the current page, rather than your service base URL), and 2. `phpCAS::setCallbackURL()` is called, only when the proxy mode is enabled. 3. If your PHP's HTTP header input `X-Forwarded-Host`, `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded-Protocol` is sanitized before reaching PHP (by a reverse proxy, for example), you will not be impacted by this vulnerability either. If your CAS server service registry is configured to only allow known and trusted service URLs the severity of the vulnerability is reduced substantially in its severity since an attacker must be in control of another authorized service. Otherwise, you should upgrade the library to get the safe service discovery behavior.

According to its self-reported version, the Moodle install hosted on the remote host is prior to 3.9.23, 3.11.x prior to 3.11.16 or 4.0.x prior to 4.0.10. The phpCAS library included with Moodle has been upgraded to version 1.6.0, which includes a fix for a serious security issue.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-d6c6782130 advisory.

    **Changes in version 1.6.0**

    Bug Fixes:

     * Introduce required service_name constructor argument to fix service hostname discovery exploitation     vulnerability **CVE-2022-39369** (Henry Pan)
     * Set user agent [#421] (Fydon)


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-6913-2 advisory.

    USN-6913-1 fixed CVE-2022-39369 for Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. This update provides the     corresponding fix for Ubuntu 16.04 LTS.



Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 22.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-6914-1 advisory.

    Filip Hejsek discovered that the phpCAS library included in OCS Inventory was using HTTP headers to     determine the service URL used to validate tickets. A remote attacker could possibly use this issue to     gain access to a victim's account.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-6913-1 advisory.

    Filip Hejsek discovered that phpCAS was using HTTP headers to determine the service URL used to validate     tickets. A remote attacker could possibly use this issue to gain access to a victim's account on a     vulnerable CASified service.

    This security update introduces an incompatible API change. After applying this update, third party     applications need to be modified to pass in an additional service base URL argument when constructing the     client class.

    For more information please refer to the section Upgrading 1.5.0 -> 1.6.0 of the phpCAS upgrading     document:

    https://github.com/apereo/phpCAS/blob/master/docs/Upgrading

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3486 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-3486-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                         Tobias Frost     July 08, 2023                                 https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : ocsinventory-server     Version        : 2.5+dfsg1-1+deb10u1     CVE ID         : n/a     Debian Bug     :

    The source package ocsinventory-server, a Hardware and software     inventory tool has been updated to address the API change in php-cas due     to CVE-2022-39369, see DLA 3485-1 for details.

    CAS is an optional authentication mechanism in the binary package     ocsinventory-reports, and if used, ocsinventory-reports will stop     working until it has been reconfigured:

    It now requires the baseURL of to-be-authenticated service to be     configured.

    For ocsinventory-reports, this is configured with the variable     $cas_service_base_url in the file     /usr/share/ocsinventory-reports/backend/require/cas.config.php

    Warning: regardless of this update, ocsreports-server should only be     used in secure and trusted environments.


    For Debian 10 buster, this update is available through version     2.5+dfsg1-1+deb10u1.

    We recommend that you upgrade your ocsinventory-server packages.

    For the detailed security status of ocsinventory-server please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/ocsinventory-server

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3487 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-3487-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                         Abhijith PA                                                                  Tobias Frost     July 08, 2023                                 https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : fusiondirectory     Version        : 1.2.3-4+deb10u2     CVE ID         : CVE-2022-36179 CVE-2022-36180     Debian Bug     :

    A potential Cross Site Scripting (XSS) vulnerablity (CVE-2022-36180) and     session handling vulnerability (CVE-2022-36179 )have been found in     fusiondirectory, a Web Based LDAP Administration Program.

    Additionally, fusiondirectory has been updated to address the API change     in php-cas due to CVE-2022-39369, see DLA 3485-1 for details.

    Due to this, if CAS authentication is used, fusiondirectory     will stop working until those steps are done:

    - make sure to install the updated fusiondirectory-schema package for       buster.

    - update the fusiondirectory core schema in LDAP by running         fusiondirectory-insert-schema -m

    - switch to using the new php-cas API by running         fusiondirectory-setup --set-config-CasLibraryBool=TRUE

    - set the CAS ClientServiceName to the base URL of the fusiondirectory       installation, for example:
        fusiondirectory-setup --set-config-CasClientServiceName=https://fusiondirectory.example.org/


    For Debian 10 buster, these problems have been fixed in version     1.2.3-4+deb10u2.

    We recommend that you upgrade your fusiondirectory packages.

    For the detailed security status of fusiondirectory please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/fusiondirectory

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by a vulnerability as referenced in the dla-3485 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-3485-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                         Tobias Frost     July 08, 2023                                 https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : php-cas     Version        : 1.3.6-1+deb10u1     CVE ID         : CVE-2022-39369     Debian Bug     : 1023571

    A vulnerability has been found in phpCAS, a Central Authentication     Service client library in php, which may allow an attacker to gain     access to a victim's account on a vulnerable CASified service without     victim's knowledge, when the victim visits attacker's website while     being logged in to the same CAS server.

    The fix for this vulnerabilty requires an API breaking change in php-cas     and will require that software using the library be updated.

    For buster, all packages in the Debian repositories which are using     php-cas have been updated, though additional manual configuration is to     be expected, as php-cas needs additional site information -- the service     base URL -- for it to function. The DLAs for the respective packages     will have additional information, as well as the package's NEWS files.

    For 3rd party software using php-cas, please be note that upstream     provided following instructions how to update this software [1]:

    phpCAS now requires an additional service base URL argument when constructing     the client class. It accepts any argument of:

    1. A service base URL string. The service URL discovery will always use this        server name (protocol, hostname and port number) without using any external        host names.
    2. An array of service base URL strings. The service URL discovery will check        against this list before using the auto discovered base URL. If there is no        match, the first base URL in the array will be used as the default. This        option is helpful if your PHP website is accessible through multiple domains        without a canonical name, or through both HTTP and HTTPS.
    3. A class that implements CAS_ServiceBaseUrl_Interface. If you need to        customize the base URL discovery behavior, you can pass in a class that        implements the interface.

    Constructing the client class is usually done with phpCAS::client().

    For example, using the first possiblity:
      phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
    could become:
      phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, https://casified-     service.example.org:8080);


    Details of the vulnerability:

    CVE-2022-39369

        The phpCAS library uses HTTP headers to determine the service URL used         to validate tickets. This allows an attacker to control the host header         and use a valid ticket granted for any authorized service in the same         SSO realm (CAS server) to authenticate to the service protected by         phpCAS.  Depending on the settings of the CAS server service registry in         worst case this may be any other service URL (if the allowed URLs are         configured to ^(https)://.*) or may be strictly limited to known and         authorized services in the same SSO federation if proper URL service         validation is applied.

    [1]     https://github.com/apereo/phpCAS/blob/f3db27efd1f5020e71f2116f637a25cc9dbda1e3/docs/Upgrading#L1C1-L1C1

    For Debian 10 buster, this problem has been fixed in version     1.3.6-1+deb10u1.

    We recommend that you upgrade your php-cas packages.

    For the detailed security status of php-cas please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/php-cas

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 35 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-76b3530ac2 advisory.

    **Changes in version 1.6.0**

    Bug Fixes:

     * Introduce required service_name constructor argument to fix service hostname discovery exploitation     vulnerability **CVE-2022-39369** (Henry Pan)
     * Set user agent [#421] (Fydon)


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-37c2d26f59 advisory.

    **Changes in version 1.6.0**

    Bug Fixes:

     * Introduce required service_name constructor argument to fix service hostname discovery exploitation     vulnerability **CVE-2022-39369** (Henry Pan)
     * Set user agent [#421] (Fydon)


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
114750	Moodle < 3.9.23 phpCAS Library Upgrade	Web App Scanning	Component Vulnerability	high
114749	Moodle 3.11.x < 3.11.16 phpCAS Library Upgrade	Web App Scanning	Component Vulnerability	high
114748	Moodle 4.0.x < 4.0.10 phpCAS Library Upgrade	Web App Scanning	Component Vulnerability	high
211181	Fedora 37 : php-pear-CAS (2022-d6c6782130)	Nessus	Fedora Local Security Checks	high
204923	Ubuntu 16.04 LTS : phpCAS vulnerability (USN-6913-2)	Nessus	Ubuntu Local Security Checks	high
204664	Ubuntu 22.04 LTS : OCS Inventory vulnerability (USN-6914-1)	Nessus	Ubuntu Local Security Checks	high
204663	Ubuntu 20.04 LTS / 22.04 LTS : phpCAS vulnerability (USN-6913-1)	Nessus	Ubuntu Local Security Checks	high
178637	Debian dla-3486 : ocsinventory-reports - security update	Nessus	Debian Local Security Checks	high
178053	Debian dla-3487 : fusiondirectory - security update	Nessus	Debian Local Security Checks	critical
178052	Debian dla-3485 : php-cas - security update	Nessus	Debian Local Security Checks	high
169203	Fedora 35 : php-pear-CAS (2022-76b3530ac2)	Nessus	Fedora Local Security Checks	high
169083	Fedora 36 : php-pear-CAS (2022-37c2d26f59)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2022-39369

high

Tenable Plugins

high

high

high

high

high

high

high

high

critical

high

high

high