[Bug 746101] [NEW] SOAP interfaces are vulnerable to XML Signature Element Wrapping attacks

Thu, 26 May 2011 06:59:49 -0700 

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Jamie Strandboge 
(jdstrand):

WS-Security policy implemented in CLC requires both a <Timestamp> and
the <Body> element to be signed. However, because the logic for verifying
signatures for these elements is decoupled from the application logic
that uses them, it's possible to put these elements in different
locations in a SOAP request in a way that the original signatures are
still valid, but the elements that are used by the application logic
are different. As a result, an attacker, who is in possession of a
valid SOAP request to CLC, can send (and execute with the privileges
of the original user) arbitrary commands to CLC.

WS-Security policy implemented in CC/NC does not require a
<Timestamp> element and does require for the <Body> to be signed. The
only elements that are signed are the WS-Addreessing headers, namely
<To>, <Action> and <MessageID>. Because the logic for verifying the
signatures for these elements is decoupled from the logic that uses
them, wrapping attacks are also possible against these fields. As a
result, an attacker, who is in possession of a valid SOAP request to
CC or NC, can send to and execute arbitrary (supported) commands on
these components.

** Affects: eucalyptus
     Importance: Undecided
     Assignee: Neil Soman (neilsoman)
         Status: New

** Affects: eucalyptus (Ubuntu)
     Importance: Undecided
         Status: In Progress

** Affects: eucalyptus (Ubuntu Lucid)
     Importance: Undecided
         Status: In Progress

** Affects: eucalyptus (Ubuntu Maverick)
     Importance: Undecided
         Status: In Progress

** Affects: eucalyptus (Ubuntu Natty)
     Importance: Undecided
         Status: In Progress

** Affects: eucalyptus (Ubuntu Oneiric)
     Importance: Undecided
         Status: In Progress

-- 
SOAP interfaces are vulnerable to XML Signature Element Wrapping attacks
https://bugs.launchpad.net/bugs/746101
You received this bug notification because you are a member of Ubuntu Bugs, 
which is a direct subscriber.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to