CVE-2014-3603
Man-in-the-Middle (MITM) vulnerability in shibboleth-identityprovider (Maven)
What is CVE-2014-3603 About?
This vulnerability affects Shibboleth Identity Provider (IdP) and OpenSAML Java, specifically their HttpResource and FileBackedHttpResource implementations. It allows man-in-the-middle attackers to spoof SSL servers because the certificate validation does not verify hostname matching. Exploitation is relatively easy for an attacker who can intercept network traffic.
Affected Software
- edu.internet2.middleware:shibboleth-identityprovider
- <2.4.1
- org.opensaml:opensaml
- <2.6.2
Technical Details
The HttpResource and FileBackedHttpResource implementations in Shibboleth Identity Provider before 2.4.1 and OpenSAML Java 2.6.2 suffer from a critical flaw in their X.509 certificate validation logic. Specifically, these implementations fail to perform hostname verification against the subject's Common Name (CN) or subjectAltName field within the X.509 certificate provided by an SSL server. This means that even if an attacker presents an arbitrary, valid SSL certificate issued by a trusted Certificate Authority, as long as it's cryptographically valid, the Shibboleth components will accept it without checking if the hostname in the certificate matches the actual server hostname. This weakness enables a man-in-the-middle attacker to intercept encrypted traffic and decrypt it by presenting a legitimate, but server-hostname-mismatched, certificate to the client, effectively spoofing the legitimate server.
What is the Impact of CVE-2014-3603?
Successful exploitation may allow attackers to perform man-in-the-middle attacks, decrypt sensitive communications, and impersonate legitimate servers, leading to information disclosure and potentially further compromise.
What is the Exploitability of CVE-2014-3603?
Exploitation of this MITM vulnerability requires the ability to intercept network traffic between the Shibboleth IdP/OpenSAML client and the target server. The complexity is moderate, relying on the attacker's network positioning and possibly DNS poisoning or ARP spoofing to direct traffic. No authentication or specific privileges are required on the target server. This is a remote attack, as the attacker needs to be in a position to intercept communications. Special conditions include the use of vulnerable versions of Shibboleth IdP or OpenSAML Java in scenarios where SSL/TLS communication occurs without proper hostname validation enabled or enforced. The likelihood of exploitation increases in environments where network traffic can be easily intercepted, such as public Wi-Fi networks or compromised internal networks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2014-3603?
Available Upgrade Options
- org.opensaml:opensaml
- <2.6.2 → Upgrade to 2.6.2
- edu.internet2.middleware:shibboleth-identityprovider
- <2.4.1 → Upgrade to 2.4.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://shibboleth.net/community/advisories/secadv_20140813.txt
- http://shibboleth.net/community/advisories/secadv_20140813.txt
- http://secunia.com/advisories/60816
- https://bugzilla.redhat.com/show_bug.cgi?id=1131823
- https://bugzilla.redhat.com/show_bug.cgi?id=1131823
- https://nvd.nist.gov/vuln/detail/CVE-2014-3603
- https://osv.dev/vulnerability/GHSA-rm7v-gqfg-p2wc
What are Similar Vulnerabilities to CVE-2014-3603?
Similar Vulnerabilities: CVE-2012-5784 , CVE-2014-1568 , CVE-2014-2972 , CVE-2014-2525 , CVE-2015-1796
