CA20130319-01: Security Notice for SiteMinder products using SAML
Issued: March 19, 2013
Last Updated: March 28, 2013
CA Technologies support is alerting customers to a potential risk with certain CA SiteMinder products that implement Security Assertion Markup Language (SAML). Multiple vulnerabilities exist that can possibly allow a remote attacker to gain additional privileges. The vulnerabilities, CVE-2013-2279, concern the verification of XML signatures on SAML statements. An attacker can perform various attacks to impersonate another user in the single sign-on system. A solution is available, see details below.
CA SiteMinder Federation (FSS) 12.5
CA SiteMinder Federation (FSS) 12.0
CA SiteMinder Federation (FSS) r6
CA SiteMinder Federation (Standalone)(1) 12.1
CA SiteMinder Federation (Standalone) 12.0
CA SiteMinder Agent for SharePoint 2010
CA SiteMinder for Secure Proxy Server 12.5
CA SiteMinder for Secure Proxy Server 12.0
CA SiteMinder for Secure Proxy Server 6.0
(1) CA SiteMinder Federation (Standalone) was previously known as CA Federation Manager.
CA SiteMinder Federation (FSS) 12.5 CR2
CA SiteMinder Federation (FSS) 12.0 SP3 CR12
CA SiteMinder Federation (FSS) r6 SP6 CR10
CA SiteMinder Federation (Standalone) 12.5
CA SiteMinder for Secure Proxy Server 12.5 CR1
CA SiteMinder Agent for SharePoint 2010 SP1
CA SiteMinder Web Access Manager, all releases when not using Federation capabilities
How to determine if the installation is affected
Check the Web Agent log or Installation log to obtain the installed release version. Note that the "webagent.log" file name is configurable by the SiteMinder administrator. If the version is prior to the fixed release indicated in the Solution section, then the installation is vulnerable.
Products may be subject to this vulnerability when used with SAML 1.1, SAML 2.0, and WS-Federation protocols. For more details on potential mitigations, please see the Workaround section below.
To clarify, for ANY of the SiteMinder product family noted in this notice, the vulnerability does not affect the product in any (individually or collectively) of the following scenarios:
- When acting as an Identity Provider only
- When configured to only use SAML 1.1 artifact or SAML 2.0 artifact
- When configured only for SAML 1.0 in any capacity (either as IdP or SP)
CA Technologies issued the following updates to address the vulnerability. Updates are available through the Download Center on the CA Technologies support.ca.com website.
|Affected Release ||Remediated Release |
|CA SiteMinder Federation (FSS) 12.5 ||CA SiteMinder Federation (FSS) 12.5 CR2 |
|CA SiteMinder Federation (FSS) 12.0 ||CA SiteMinder Federation (FSS) 12.0 SP3 CR12 |
|CA SiteMinder Federation (FSS) r6 ||CA SiteMinder Federation (FSS) r6 SP6 CR10 |
|CA SiteMinder Federation (Standalone) 12.1 ||CA SiteMinder Federation (Standalone) 12.5 |
|CA SiteMinder Federation (Standalone) 12.0 ||CA SiteMinder Federation (Standalone) 12.5 |
|CA SiteMinder Agent for SharePoint 2010 ||CA SiteMinder Agent for SharePoint 2010 12.5.1 |
|CA SiteMinder for Secure Proxy Server 12.5 ||CA SiteMinder for Secure Proxy Server 12.5 CR1 |
|CA SiteMinder for Secure Proxy Server 12.0 ||CA SiteMinder for Secure Proxy Server 12.5 CR1 |
|CA SiteMinder for Secure Proxy Server 6.0 ||CA SiteMinder for Secure Proxy Server 12.5 CR1 |
CA's recommended best practice is to first deploy the updated release on the SiteMinder Policy Server, which will remediate this security vulnerability. The SiteMinder Web Agent Option Pack (WAOP) can be later upgraded using a gradual schedule.
As the fix introduces additional checks on the validity of assertions and other signed XML messages, it is possible, although unlikely, that an existing partner may send assertions that fail the validity check. If this happens, we recommend that you have the partner fix the issue. If this is not possible, and you are willing to accept the risk of disabling enhanced signature validation, you can do the following:
- Navigate to the xsw.properties file in one of the following locations:
- If you see the error message in the smtracedefault.log file, go to federation_mgr_home/siteminder/config/properties
- If you see the error message in the fwstrace.log, go to federation_mgr_home/secure-proxy/tomcat/webapps/affwebservices/web-INF/classes.
- Add the following settings to the xsw.properties file, and set each one to true.
This disables the signature vulnerability checks, and only applies on the policy server.
This disables the duplicate ID check, and applies to both locations. This change should be made in both locations.
Please note that SAML 1.1 and SAML 2.0 artifact transactions are not affected, as SSL transport layer security is used to protect the contents of the assertion.
To reduce exposure when SAML 1.1 and SAML 2.0 POST are used, please ensure that assertions are both signed and encrypted, *and* the key used for signing the assertion has not been used to merely sign anything else that is publicly available (for example metadata). In that configuration, the assertions should not be vulnerable, as the encryption hides the signed block, and a potential attacker cannot get a valid signed XML block to use in the substitution attack. Given the difficulty in determining whether or not your signatures have been compromised we strongly recommend upgrading to address the vulnerability.
"On Breaking SAML: Be Whoever You Want to Be", USENIX Security 2012; Juraj Somorovsky, Andreas Mayer, Jörg Schwenk, Marco Kampmann, Meiko Jensen
Version 1.0: Initial Release
Version 1.1: 2013-03-22 Updated the SiteMinder for Secure Proxy Server Non-Affected and Remediated Release from 12.5 CR2 to 12.5 CR1
Version 1.2: 2013-03-28 Added the clarification to the "How to determine if the installation is affected" section and the best practice to the "Solution" section.
If additional information is required, please contact CA Technologies Support at https://support.ca.com/.
If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.