CVE-2015-1796
Impersonation vulnerability in opensaml (Maven)
What is CVE-2015-1796 About?
This vulnerability affects Shibboleth Identity Provider and OpenSAML Java PKIX trust engines. It allows remote attackers to impersonate an entity by trusting candidate X.509 credentials when no trusted names are available. Exploitation requires a certificate issued by a shibmd:KeyAuthority trust anchor, making it moderately difficult.
Affected Software
- org.opensaml:opensaml
- <2.6.5
- edu.internet2.middleware:shibboleth-identityprovider
- <2.4.4
Technical Details
The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 contain a critical logic flaw. When the trust engine processes candidate X.509 credentials, it incorrectly trusts these credentials even when there are no valid trusted names explicitly configured for the entityID. This means that if an attacker obtains a certificate that is issued by a 'shibmd:KeyAuthority' trust anchor (which is a valid scenario for some deployments), they can use this certificate to impersonate any entity, even if that entity's specific name is not listed or trusted by the relying party. The vulnerability bypasses the intended entity-specific trust validation, allowing for unauthorized assertion signing and broad impersonation.
What is the Impact of CVE-2015-1796?
Successful exploitation may allow attackers to impersonate entities, forge authentication assertions, and gain unauthorized access to resources, leading to significant security breaches.
What is the Exploitability of CVE-2015-1796?
Exploitation of this impersonation vulnerability relies on the attacker possessing a certificate issued by a 'shibmd:KeyAuthority' trust anchor that is configured as trusted by the target system. The complexity is moderate, requiring the ability to generate or acquire such a certificate and craft valid SAML assertions. No authentication on the target system is required, as the vulnerability affects the trust engine's ability to validate incoming assertions. Privilege requirements are low for the attacker once the certificate is acquired. This is predominantly a remote vulnerability, allowing an attacker to send forged SAML assertions to a Shibboleth-protected service. Special conditions include the target system using vulnerable versions of Shibboleth IdP or OpenSAML Java and trusting a 'shibmd:KeyAuthority' that the attacker can leverage. The likelihood of exploitation increases if an attacker can compromise a Certificate Authority trusted as a 'shibmd:KeyAuthority'.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2015-1796?
Available Upgrade Options
- edu.internet2.middleware:shibboleth-identityprovider
- <2.4.4 → Upgrade to 2.4.4
- org.opensaml:opensaml
- <2.6.5 → Upgrade to 2.6.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.securityfocus.com/bid/75370
- http://rhn.redhat.com/errata/RHSA-2015-1176.html
- https://shibboleth.net/community/advisories/secadv_20150225.txt
- https://osv.dev/vulnerability/GHSA-78fq-w796-q537
- https://nvd.nist.gov/vuln/detail/CVE-2015-1796
- https://shibboleth.net/community/advisories/secadv_20150225.txt
- http://rhn.redhat.com/errata/RHSA-2015-1177.html
- http://rhn.redhat.com/errata/RHSA-2015-1177.html
- http://rhn.redhat.com/errata/RHSA-2015-1176.html
What are Similar Vulnerabilities to CVE-2015-1796?
Similar Vulnerabilities: CVE-2014-3603 , CVE-2019-1142 , CVE-2016-5387 , CVE-2017-1000021 , CVE-2018-8032
