accept no compromises

Apache CXF WS-Security UsernameToken Bypass

Apache CXF WS-Security UsernameToken Bypass
Posted Feb 12, 2013
Site cxf.apache.org

Apache CXF suffers from a UsernameToken WS-SecurityPolicy bypass vulnerability. This vulnerability affects all versions of Apache CXF prior to 2.5.9, 2.6.6 and 2.7.3.

tags | advisory, bypass
advisories | CVE-2013-0239
MD5 | 174f7af00355616fbb181be8f7f404eb

Apache CXF WS-Security UsernameToken Bypass

Change Mirror Download
----BEGIN PGP SIGNED MESSAGE----
Hash: SHA1

CVE-2013-0239: Authentication bypass in the case of WS-SecurityPolicy enabled
plaintext UsernameTokens.

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 2.5.9, 2.6.6
and 2.7.3.

Description:

The following WS-SecurityPolicy 1.3 fragment requires that a WS-Security
UsernameToken must be present in the security header of a SOAP request:

<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>

If a UsernameToken element is sent with no password child element, then a
policy similar to the policy defined above will completely bypass
authentication by default. This is due to the use-case of supporting deriving
keys from a UsernameToken, where a password element would not be sent in the
token.

The vulnerability does not apply in any of the following circumstances:

a) You are using a custom UsernameTokenValidator which does not allow the
'verifyUnknownPassword' use-case, or that otherwise insists that a password
must be present in the token (such as the 'JAASUsernameTokenValidator' in
WSS4J).
b) You are using a 'sp:HashPassword' policy that requires a hashed password
to be present in the token.
c) You are using the older style of configuring WS-Security without using
WS-SecurityPolicy.

If you are relying on WS-SecurityPolicy enabled plaintext UsernameTokens to
authenticate users, and if neither points a) nor b) apply, then you must
upgrade to a fixed version of CXF (see below), or else configure a custom
UsernameTokenValidator implementation to insist that a password element must
be present.

The fix has been to require a password element in the case of a (non-endorsing)
SupportingToken.

This has been fixed in revisions:

http://svn.apache.org/viewvc?view=revision&revision=1438424

Migration:

Users of CXF prior to 2.5.x should upgrade to either 2.5.9, 2.6.6, or 2.7.3.
CXF 2.5.x users should upgrade to 2.5.9 as soon as possible.
CXF 2.6.x users should upgrade to 2.6.6 as soon as possible.
CXF 2.7.x users should upgrade to 2.7.3 as soon as possible.

References: http://cxf.apache.org/security-advisories.html

----BEGIN PGP SIGNATURE----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJRFM+nAAoJEGe/gLEK1TmDf/gIAJFUWpot4X9xtbJ5SfEqGwlY
+FUoeaSuzqyVLmEPhas6eDIrwONDOrQJC9VO6fyJGMtk6rrPtbmcbRGosjb+bSJF
fpi0aHTvJdZMv2FGWkUHbpJhn0nnmM3BzgKcDhh1GTKDhiDhn4xdD+TKxNQ+xuML
KjSP6SWXCCL6jvPuu90zPPkyTX3BlR8Mxzr1OxmiGKkU2uB8Mnx+KLgMjDkV/9uf
+dApxPsqGgtDbETt1RYRrRKGW8S2YSQ61Kmf9Ce5Ewd+pcv3KRxhmerfAf6AwypD
DhiXacDlm0kjH02fWFbddMKQoL4IxbRmLV8cJSRI6mJ45Fi+r+SlLa2/g7PUxOg=
=NqSU
----END PGP SIGNATURE----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    11 Files
  • 20
    Jul 20th
    9 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close