Security Bulletin: IBM Tivoli Federated Identity Manager OpenID: signature validation not applied to all attributes (CVE-2012-6359)

Abstract

SUMMARY
An OpenID message can be modified to contain unsigned attributes that will be accepted by a relying party because Tivoli Federated Identity Manager (TFIM) does not check that all attributes have been signed.

Content

VULNERABILITY DETAILS

CVE: CVE-2012-6359

DESCRIPTION:
An OpenID identity provider can send attributes about a user to a relying party via the “simple registration extension” (SREG) or “attribute exchange extension” (AX). The response from the OpenID provider to the relying party is transmitted via a browser redirect. The response also contains an attribute
called “openid.signed” which outlines which parameters in the response are signed by the OpenID provider.

When TFIM receives an OpenID attribute via SREG or AX it does not check to determine if the attribute is signed. It could therefore be possible for an attacker either acting as a man-in-the-middle or at the browser to insert unsigned attributes which were not sent by the OpenID provider and have the relying party accept them. The attack does not require local network access nor does it require authentication, but specialized knowledge and techniques are required. An exploit will not impact accessibility of system resources or the confidentiality of information, but the integrity of some of the data used in the OpenID exchange could be compromised. The consequence of this compromise is dependent on the nature and use of the OpenID attributes by the consuming applications.

CVSS Base Score:4.3 CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **CVSS Details: **<https://exchange.xforce.ibmcloud.com/vulnerabilities/77790&gt;

AFFECTED PLATFORMS
 Tivoli Federated Identity Manager versions 6.2.0, 6.2.1, 6.2.2

REMEDIATION:

Vendor Fixes: Patches and installation instructions are provided at the URLs listed below.

|
|
|

_
_

WORKAROUNDS:
None

RELATED INFORMATION:

 Complete CVSS Guide
 IBM Secure Engineering Web Portal
 IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{“Product”:{“code”:“SSZSXU”,“label”:“Tivoli Federated Identity Manager”},“Business Unit”:{“code”:“BU008”,“label”:“Security”},“Component”:“Not Applicable”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”},{“code”:“PF035”,“label”:“z/OS”},{“code”:“PF010”,“label”:“HP-UX”}],“Version”:“6.2;6.2.1;6.2.2”,“Edition”:“”,“Line of Business”:{“code”:“LOB24”,“label”:“Security Software”}}]