-----BEGIN PGP SIGNED MESSAGE-----

CA20130319-01: Security Notice for SiteMinder products using SAML

Issued: March 19, 2013

CA Technologies support is alerting customers to a potential risk
with certain CA SiteMinder products that implement Security Assertion
Markup Language (SAML). Multiple vulnerabilities exist that can
possibly allow a remote attacker to gain additional privileges. The
vulnerabilities, CVE-2013-2279, concern the verification of XML
signatures on SAML statements. An attacker can perform various
attacks to impersonate another user in the single sign-on system. A
solution is available, see details below.

Risk Rating

High

Platform

All platforms

Affected Products

CA SiteMinder Federation (FSS) 12.5
CA SiteMinder Federation (FSS) 12.0
CA SiteMinder Federation (FSS) r6
CA SiteMinder Federation (Standalone)(1) 12.1
CA SiteMinder Federation (Standalone) 12.0
CA SiteMinder Agent for SharePoint 2010
CA SiteMinder for Secure Proxy Server 12.5
CA SiteMinder for Secure Proxy Server 12.0
CA SiteMinder for Secure Proxy Server 6.0

Note:
(1) CA SiteMinder Federation (Standalone) was previously known as CA
Federation Manager.

Non-Affected Products

CA SiteMinder Federation (FSS) 12.5 CR2
CA SiteMinder Federation (FSS) 12.0 SP3 CR12
CA SiteMinder Federation (FSS) r6 SP6 CR10
CA SiteMinder Federation (Standalone) 12.5
CA SiteMinder for Secure Proxy Server 12.5 CR2
CA SiteMinder Agent for SharePoint 2010 SP1
CA SiteMinder Web Access Manager, all releases when not using
Federation capabilities

How to determine if the installation is affected

Check the Web Agent log or Installation log to obtain the installed
release version. Note that the "webagent.log" file name is
configurable by the SiteMinder administrator. If the version is prior
to the fixed release indicated in the Solution section, then the
installation is vulnerable.

Products may be subject to this vulnerability when used with SAML
1.1, SAML 2.0, and WS-Federation protocols. For more details on
potential mitigations, please see the Workaround section below.

Solution

CA Technologies issued the following updates to address the
vulnerability. Updates are available through the Download Center on
the CA Technologies support.ca.com website.

Affected Release
Remediated Release

CA SiteMinder Federation (FSS) 12.5
CA SiteMinder Federation (FSS) 12.5 CR2

CA SiteMinder Federation (FSS) 12.0
CA SiteMinder Federation (FSS) 12.0 SP3 CR12

CA SiteMinder Federation (FSS) r6
CA SiteMinder Federation (FSS) r6 SP6 CR10

CA SiteMinder Federation (Standalone) 12.1
CA SiteMinder Federation (Standalone) 12.5

CA SiteMinder Federation (Standalone) 12.0
CA SiteMinder Federation (Standalone) 12.5

CA SiteMinder Agent for SharePoint 2010
CA SiteMinder Agent for SharePoint 2010 12.5.1

CA SiteMinder for Secure Proxy Server 12.5
CA SiteMinder for Secure Proxy Server 12.5 CR2

CA SiteMinder for Secure Proxy Server 12.0
CA SiteMinder for Secure Proxy Server 12.5 CR2

CA SiteMinder for Secure Proxy Server 6.0
CA SiteMinder for Secure Proxy Server 12.5 CR2

As the fix introduces additional checks on the validity of assertions
and other signed XML messages, it is possible, although unlikely, that
an existing partner may send assertions that fail the validity check.
If this happens, we recommend that you have the partner fix the issue.
If this is not possible, and you are willing to accept the risk of
disabling enhanced signature validation, you can do the following:

1. Navigate to the xsw.properties file in one of the following
locations:

*If you see the error message in the smtracedefault.log file, go to
fed_mgr_home/siteminder/config/properties

*If you see the error message in the fwstrace.log, go to
fed_mgr_home/secure-proxy/tomcat/webapps/affwebservices/web-INF/classes

2. Add the following settings to the xsw.properties file, and set each
one to true.

DisableXSWCheck=true

This disables the signature vulnerability checks, and only applies on
the policy server.

DisableUniqueIDCheck=true

This disables the duplicate ID check, and applies to both locations.
This change should be made in both locations.

Workaround

Please note that SAML 1.1 and SAML 2.0 artifact transactions are not
affected, as SSL transport layer security is used to protect the
contents of the assertion.

To reduce exposure when SAML 1.1 and SAML 2.0 POST are used, please
ensure that assertions are both signed and encrypted, *and* the key
used for signing the assertion has not been used to merely sign
anything else that is publicly available (for example metadata). In
that configuration, the assertions should not be vulnerable, as the
encryption hides the signed block, and a potential attacker cannot
get a valid signed XML block to use in the substitution attack. Given
the difficulty in determining whether or not your signatures have
been compromised we strongly recommend upgrading to address the
vulnerability.

References

CVE-2013-2279

"On Breaking SAML: Be Whoever You Want to Be", USENIX Security 2012;
Juraj Somorovsky, Andreas Mayer, Joerg Schwenk, Marco Kampmann,
Meiko Jensen

CA20130319-01: Security Notice for SiteMinder products using SAML
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg

Change History

Version 1.0: Initial Release

If additional information is required, please contact CA Technologies
Support at http://support.ca.com/

If you discover a vulnerability in CA Technologies products, please
report your findings to the CA Technologies Product Vulnerability
Response Team:
https://support.ca.com/irj/portal/anonymous/phpsbpldgpg

Regards,

Kevin Kotas
Director, CA Technologies Product Vulnerability Response Team

Copyright (c) 2013 CA. All Rights Reserved. One CA Plaza, Islandia,
N.Y. 11749. All other trademarks, trade names, service marks, and
logos referenced herein belong to their respective companies.

-----BEGIN PGP SIGNATURE-----
Charset: utf-8

wsBVAwUBUUjib5I1FvIeMomJAQGtYwgAkE1ExBVI4lGkptHGugNY8wwejzlDzHN0
ef7J6F5t06j8eziTMeczaupH22ydFPkMC5iTmXWqafLzX4kmFGzISVIOlrdqFfdK
nkACsZyzl2NogjgIa3fEp0ZpV1T7q+wSpyCnHYCDLr57BFn1a2ZBeQqqBfibye+A
ZlyHGtEJnfS+H8/ZmS5voU/AliFwj3WOkaIvUFk5gK+tbzipkiQhdvoHPTSlIPZB
+0VQpfVAGG2SVKXn4QTPz/zeY3/JX7SjA0Q9hLVuYe0acCPc+6Q8hGIRmfd7czEb
G41+7S+EDdjJy3c5IzUc1FNvUZJ3IDpolH/jc9nyYgmYNzHvDtfv5A==
=N0tz
-----END PGP SIGNATURE-----