Detections
Analytics

FreeBSD : sbibboleth-sp -- denial of service vulnerability (e4403051-a667-11eb-b9c9-6cc21735f730)

high Nessus Plugin ID 149013

Synopsis

The remote FreeBSD host is missing a security-related update.

Description

Shibboleth project reports :

Session recovery feature contains a NULL pointer deference.

The cookie-based session recovery feature added in V3.0 contains a flaw that is exploitable on systems *not* using the feature if a specially crafted cookie is supplied.

This manifests as a crash in the shibd daemon/service process.

Because it is very simple to trigger this condition remotely, it results in a potential denial of service condition exploitable by a remote, unauthenticated attacker.

Solution

Update the affected package.

See Also

https://shibboleth.net/community/advisories/secadv_20210426.txt

http://www.nessus.org/u?1c3ce12a

Plugin Details

Severity: High

ID: 149013

File Name: freebsd_pkg_e4403051a66711ebb9c96cc21735f730.nasl

Version: 1.1

Type: local

Published: 4/27/2021

Updated: 4/27/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:shibboleth-sp, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 4/26/2021

Vulnerability Publication Date: 4/23/2021