CVE-2017-12873

First published: Mon Dec 12 2016(Updated: )

### Background When a SimpleSAMLphp Identity Provider is misconfigured, a bug in the software when trying to build a persistent `NameID` to univocally identify the authenticating subject could cause different users to get the same identifier generated, depending on the attributes available for them right after authentication. Please note that even though this is possible thanks to a bug, **an IdP must be misconfigured** to release persistent `NameID`s even if it is not properly configured to generate them based on the specifics of the deployment. ### Description Persistent `NameID`s will typically be sent as part of the `Subject` element of a SAML assertion, or as the contents of the `eduPersonTargetedID` attribute. Here is an example of such a `NameID`: <NameID Format=“urn:oasis:names:tc:SAML:2.0:nameid-format:persistent“> zbonsm0Yn9Gnw14uQEEPr6AO7d+IvxwCQN3t+o24jYs= </NameID> Some service providers will use this information to identify a user across sessions because a persistent `NameID` will never change for a given user. This could lead to different users accessing the same account in those service providers. In order to be affected by this issue, the following circumstances must concur: - SimpleSAMLphp acts as an identity provider. - The service provider asking for authentication requests a persistent `NameID`. - No `saml:PersistentNameID` authentication processing filter is configured (neither for the whole IdP, nor for a given SP). - No `simplesaml.nameidattribute` configuration option is set (neither for the whole IdP, nor for a given SP). - One of the following alternatives: - No `userid.attribute` configuration option is set **and** the users don't have an `eduPersonPrincipalName` attribute in the users backend, **or** - the `userid.attribute` configuration option is set to an empty or missing attribute. If all these requirements are met, the `SimpleSAML_Auth_ProcessingChain` class will try to keep a unique user identifier in the state array (`addUserID()` method). Bear in mind that this code is executed **before** all the authentication processing filters configured, meaning that only those attributes retrieved for the user during **initial authentication** will be available. If no `userid.attribute` configuration option is set, the default `eduPersonPrincipalName` will then be used. However, since it is missing, no identifier will be kept. Alternatively, if `userid.attribute` is set to a missing or empty attribute, the `addUserID()` method will abort trying to register an identifier. After executing all authentication processing filters, SimpleSAMLphp will build a SAML assertion. If the service provider requests persistent `NameID`s, SimpleSAMLphp will attempt to generate one given that none is already available (because the `saml:PersistentNameID` filter was not used). At this point, the code will look for the `simplesaml.nameidattribute` configuration option in either the local IdP metadata or in the remote SP metadata. If none of them are configured, it will default to the unique user identifier previously registered by `SimpleSAML_Auth_ProcessingChain`. If no identifier was kept there, the code will log an error message: Unable to generate NameID. Check the userid.attribute option. However, instead of aborting the `NameID` generation at that point, it will go on and use a value missing from the state array as the source for the computation, meaning the `null` type will be used. Hence, all users connecting to a given service provider will get the same `NameID` generated, because all the input parameters will be the same: - The SP's entity identifier. - The IdP's entity identifier. - The `null` value. - The common secret salt from the main configuration. ### Affected versions All SimpleSAMLphp versions between 1.7.0 and 1.14.10, inclusive. ### Impact Those identity providers affected by this bug and misconfigured as previously described could be issuing SAML assertions with common `NameID`s for all or a subset of their users. If a service provider uses those `NameID`s to identify the users of the affected IdP, all the users will be associated with the same user account at the service provider, causing all sorts of potential security issues like information disclosure or unauthorized access. While we can consider this unlikely to happen, some cases have been already observed. In particular, some identity providers using default configurations and consuming metadata automatically (i.e. using the _metarefresh_ module) while using a user backend like _Active Directory_ that does not populate `eduPersonPrincipalName` are particularly sensitive to this issue. ### Resolution Upgrade to the latest version. Configure a `saml:PersistentNameID` authentication processing filter according to your needs. Remember to check that **the attribute used as the source** for the `NameID` **is present at the moment the `saml:PersistentNameID` filter is executed**. The attribute used must be **unique** per user, and **must not change** over time.

Credit: cve@mitre.org cve@mitre.org

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/friends-of-php
• collector/security-tracker-debian
• agent/type
• agent/remedy
• agent/first-publish-date
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-gp2m-7cfp-h6gf
• alias/CVE-2017-12873
• agent/software-canonical-lookup
• agent/severity
• agent/references
• agent/weakness
• agent/description
• agent/author
• collector/github-advisory
• collector/mitre-cve
• source/MITRE
• agent/last-modified-date
• agent/event
• agent/trending
• agent/source
• collector/nvd-cve
• source/NVD
• agent/software-canonical-lookup-request
• agent/softwarecombine
• agent/tags
• collector/nvd-index
• package-manager/composer
• package-manager/debian
• vendor/simplesamlphp
• canonical/simplesamlphp
• version/simplesamlphp/1.7.0
• version/simplesamlphp/1.14.10
• vendor/debian
• canonical/debian gnu/linux
• version/debian gnu/linux/7.0
• version/debian gnu/linux/8.0
• version/debian gnu/linux/9.0