Detections
Analytics

FreeBSD : shibboleth2-sp -- 'Dynamic' metadata provider plugin issue (b4b7ec7d-ca27-11e7-a12d-6cc21735f730)

high Nessus Plugin ID 104612

Language:

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

The Internet2 community reports :

The Shibboleth Service Provider software includes a MetadataProvider plugin with the plugin type 'Dynamic' to obtain metadata on demand from a query server, in place of the more typical mode of downloading aggregates separately containing all of the metadata to load.

All the plugin types rely on MetadataFilter plugins to perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments.

Due to a coding error, the 'Dynamic' plugin fails to configure itself with the filters provided to it and thus omits whatever checks they are intended to perform, which will typically leave deployments vulnerable to active attacks involving the substitution of metadata if the network path to the query service is compromised.

Solution

Update the affected package.

See Also

https://www.internet2.edu/products-services/trust-identity/shibboleth/

http://www.nessus.org/u?4bb8bb47

Plugin Details

Severity: High

ID: 104612

File Name: freebsd_pkg_b4b7ec7dca2711e7a12d6cc21735f730.nasl

Version: 3.4

Type: local

Published: 11/16/2017

Updated: 1/4/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:shibboleth2-sp, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 11/15/2017

Vulnerability Publication Date: 11/15/2017