SA-CONTRIB-2014-035 - CAS Server - Access Bypass - Security-news

2 Apr 2014


      View online: https://drupal.org/node/2231663
* Advisory ID: DRUPAL-SA-CONTRIB-2014-035
   * Project: CAS [1] (third-party module)
   * Version: 6.x, 7.x
   * Date: 2014-April-02
   * Security risk: Critical [2]
   * Exploitable from: Remote
   * Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The cas_server module of the CAS project implements the CAS 1.0 and 2.0
specifications for providing a single sign-on to relying party web
application (the "service" in CAS specs). The CAS server creates single-use
tickets when serving a user's login request, which is subsequently deleted
when the relying party validates the ticket.
However, this successful validation will be cached if the Drupal page cache
is enabled, and subsequent identical validations can be processed even though
the single-use ticket has been deleted.
A user's session on a relying party can be therefore be re-initialized via a
session replay attack involving the cas_server module, even when the user
deletes cookies and server-side sessions for both sites.
This would require an attacker to sniff the service URL containing the ticket
ID, such as with a non-SSL relying party, by protocol downgrade, or by
accessing an earlier user's web activity on a public computer.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
     accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* CAS Server 6.x-2.x versions prior to 6.x-3.3.
   * CAS Server 7.x-2.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed CAS [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the CAS Server module for Drupal 6.x, upgrade to CAS Server
     6.x-3.3 [5]
   * If you use the CAS Server module for Drupal 7.x, upgrade to CAS Server
     7.x-1.3 [6]
Also see the CAS [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Eric Searcy [8]
   * Greg Knaddison [9] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Eric Searcy [10]
   * Tim Yale [11], the module maintainer
   * Greg Knaddison [12] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [13] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [14].
Learn more about the Drupal Security team and their policies [15], writing
secure code for Drupal [16], and securing your site [17].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [18]
[1] http://drupal.org/project/cas
[2] http://drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] http://drupal.org/project/cas
[5] https://drupal.org/node/2231659
[6] https://drupal.org/node/2231657
[7] http://drupal.org/project/cas
[8] http://drupal.org/user/137284
[9] http://drupal.org/user/36762
[10] http://drupal.org/user/137284
[11] http://drupal.org/user/2413764
[12] http://drupal.org/user/36762
[13] http://drupal.org/user/36762
[14] http://drupal.org/contact
[15] http://drupal.org/security-team
[16] http://drupal.org/writing-secure-code
[17] http://drupal.org/security/secure-configuration
[18] https://twitter.com/drupalsecurity