CA20130311-01 Security Notice for SiteMinder products using SAML - CA Technologies
{{search ? 'Close':'Search'}}

CA20130319-01: Security Notice for SiteMinder products using SAML

Issued: March 19, 2013
Last Updated: March 28, 2013

CA Technologies support is alerting customers to a potential risk with certain CA SiteMinder products that implement Security Assertion Markup Language (SAML). Multiple vulnerabilities exist that can possibly allow a remote attacker to gain additional privileges. The vulnerabilities, CVE-2013-2279, concern the verification of XML signatures on SAML statements. An attacker can perform various attacks to impersonate another user in the single sign-on system. A solution is available, see details below.

Risk Rating

High

Platform

All platforms

Affected Products

CA SiteMinder Federation (FSS) 12.5
CA SiteMinder Federation (FSS) 12.0
CA SiteMinder Federation (FSS) r6
CA SiteMinder Federation (Standalone)(1) 12.1
CA SiteMinder Federation (Standalone) 12.0
CA SiteMinder Agent for SharePoint 2010
CA SiteMinder for Secure Proxy Server 12.5
CA SiteMinder for Secure Proxy Server 12.0
CA SiteMinder for Secure Proxy Server 6.0

Note:
(1) CA SiteMinder Federation (Standalone) was previously known as CA Federation Manager.

Non-Affected Products

CA SiteMinder Federation (FSS) 12.5 CR2
CA SiteMinder Federation (FSS) 12.0 SP3 CR12
CA SiteMinder Federation (FSS) r6 SP6 CR10
CA SiteMinder Federation (Standalone) 12.5
CA SiteMinder for Secure Proxy Server 12.5 CR1
CA SiteMinder Agent for SharePoint 2010 SP1
CA SiteMinder Web Access Manager, all releases when not using Federation capabilities

How to determine if the installation is affected

Check the Web Agent log or Installation log to obtain the installed release version. Note that the "webagent.log" file name is configurable by the SiteMinder administrator. If the version is prior to the fixed release indicated in the Solution section, then the installation is vulnerable.

Products may be subject to this vulnerability when used with SAML 1.1, SAML 2.0, and WS-Federation protocols. For more details on potential mitigations, please see the Workaround section below.

To clarify, for ANY of the SiteMinder product family noted in this notice, the vulnerability does not affect the product in any (individually or collectively) of the following scenarios:

  1. When acting as an Identity Provider only
  2. When configured to only use SAML 1.1 artifact or SAML 2.0 artifact
  3. When configured only for SAML 1.0 in any capacity (either as IdP or SP)

Solution

CA Technologies issued the following updates to address the vulnerability. Updates are available through the Download Center on the CA Technologies support.ca.com website.

Affected Release Remediated Release
CA SiteMinder Federation (FSS) 12.5 CA SiteMinder Federation (FSS) 12.5 CR2
CA SiteMinder Federation (FSS) 12.0 CA SiteMinder Federation (FSS) 12.0 SP3 CR12
CA SiteMinder Federation (FSS) r6 CA SiteMinder Federation (FSS) r6 SP6 CR10
CA SiteMinder Federation (Standalone) 12.1 CA SiteMinder Federation (Standalone) 12.5
CA SiteMinder Federation (Standalone) 12.0 CA SiteMinder Federation (Standalone) 12.5
CA SiteMinder Agent for SharePoint 2010 CA SiteMinder Agent for SharePoint 2010 12.5.1
CA SiteMinder for Secure Proxy Server 12.5 CA SiteMinder for Secure Proxy Server 12.5 CR1
CA SiteMinder for Secure Proxy Server 12.0 CA SiteMinder for Secure Proxy Server 12.5 CR1
CA SiteMinder for Secure Proxy Server 6.0 CA SiteMinder for Secure Proxy Server 12.5 CR1

CA's recommended best practice is to first deploy the updated release on the SiteMinder Policy Server, which will remediate this security vulnerability. The SiteMinder Web Agent Option Pack (WAOP) can be later upgraded using a gradual schedule.

As the fix introduces additional checks on the validity of assertions and other signed XML messages, it is possible, although unlikely, that an existing partner may send assertions that fail the validity check. If this happens, we recommend that you have the partner fix the issue. If this is not possible, and you are willing to accept the risk of disabling enhanced signature validation, you can do the following:

  1. Navigate to the xsw.properties file in one of the following locations:

    • If you see the error message in the smtracedefault.log file, go to federation_mgr_home/siteminder/config/properties
    • If you see the error message in the fwstrace.log, go to federation_mgr_home/secure-proxy/tomcat/webapps/affwebservices/web-INF/classes.

  2. Add the following settings to the xsw.properties file, and set each one to true.

    DisableXSWCheck=true

    This disables the signature vulnerability checks, and only applies on the policy server.

    DisableUniqueIDCheck=true

    This disables the duplicate ID check, and applies to both locations.  This change should be made in both locations.

Workaround

Please note that SAML 1.1 and SAML 2.0 artifact transactions are not affected, as SSL transport layer security is used to protect the contents of the assertion.

To reduce exposure when SAML 1.1 and SAML 2.0 POST are used, please ensure that assertions are both signed and encrypted, *and* the key used for signing the assertion has not been used to merely sign anything else that is publicly available (for example metadata). In that configuration, the assertions should not be vulnerable, as the encryption hides the signed block, and a potential attacker cannot get a valid signed XML block to use in the substitution attack. Given the difficulty in determining whether or not your signatures have been compromised we strongly recommend upgrading to address the vulnerability.

References

CVE-2013-2279

"On Breaking SAML: Be Whoever You Want to Be", USENIX Security 2012; Juraj Somorovsky, Andreas Mayer, Jörg Schwenk, Marco Kampmann, Meiko Jensen

Change History

Version 1.0: Initial Release
Version 1.1: 2013-03-22 Updated the SiteMinder for Secure Proxy Server Non-Affected and Remediated Release from 12.5 CR2 to 12.5 CR1
Version 1.2: 2013-03-28 Added the clarification to the "How to determine if the installation is affected" section and the best practice to the "Solution" section.

If additional information is required, please contact CA Technologies Support at https://support.ca.com/.

If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.

Chat with CA

Just give us some brief information and we'll connect you to the right CA Expert.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    How Did We Do?
    Let us know how we did so that we can maintain a quality experience.

    Take Our Survey >

    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing