CAS Vulnerability Disclosure


Overview

This is the public version of an Apereo CAS project vulnerability disclosure, describing an issue in CAS where an adversary may be able to bypass certain administrative endpoints, in spite of CAS access rule in place. The following administrative endpoints are exposed and vulnerable to this attack:

  • /statistics/ping
  • /statistics/threads
  • /statistics/metrics
  • /statistics/healthcheck
  • /statistics/ssosessions and all sub endpoints

Affected Deployments

The attack vector specifically applies to all deployments of CAS v4.2.x deployments. If you have deployed any version of CAS 4.2.x, you MUST take action to upgrade. If you have deployed any other versions of CAS, disregard this announcement.

Severity

This is a serious issue where successfully exercising this vulnerability allows the adversary gain insight into the running CAS software, collect running threads, DOS the server repeatedly via pings and potentially observe the collection of active SSO sessions and meddle with user single sign-on activity.

Patching

Patch releases are available to address CAS v4.2.x deployments. Upgrades to the next patch version for each release should be a drop-in replacement. The patch simply ensures that the exposed endpoints honor the CAS access rules, and otherwise block attempts. When you have applied the patch, please double check all endpoints and ensure access is appropriately controlled.

Timeline

The issue was originally reported to the CAS application security team on September 27, 2016. Upon confirmation, CAS was patched on September 28, 2016 and released. The original release announcement is available here.

Procedure

Modify your CAS overlay to point to version 4.2.6. A snippet of a pom.xml for a CAS overlay follows:

<dependencies>
    <dependency>
        <groupId>org.jasig.cas</groupId>
        <artifactId>cas-server-webapp</artifactId>
        <version>${cas.version}</version>
        <type>war</type>
        <scope>runtime</scope>
    </dependency>
</dependencies>

<properties>
    <cas.version>4.2.6</cas.version>
</properties>

Double check your cas.properties file for the following setting:

# cas.securityContext.adminpages.ip=127\.0\.0\.1

Make sure the correct IP pattern is authorized to access admin pages.

Alternatives

If you are unable to apply the patch, it’s then best to ensure the outlined endpoints are blocked completely via load balancers, proxies, firewalls, etc.

Support

If you have questions on the details this vulnerability and how it might be reproduced, please contact security@apereo.org or cas-appsec-public@apereo.org.

Resources

Related Posts

JWT Of All Things With CAS

A short tutorial on how to let Apereo CAS handle authentication events accompanied by JWTs.

CAS 5.2.0 RC4 Feature Release

...in which I present an overview of CAS 5.2.0 RC4 release.

August 2017 uPortal Slack summary

Summarizing Slack traffic about uPortal in August 2017.

CAS 5.1.x Load Tests by Lafayette College

Lafayette College shares the results of stress tests executed against a recent CAS 5.1.x deployment.

CAS 5.2.0 RC3 Feature Release

...in which I present an overview of CAS 5.2.0 RC3 release.

Do State The Obvious

A short and sweet reminder and explanation of how marketing in tech works.

Stop Writing Code

A legitimate, comprehensive and inescapably detailed account of the spiderweb of deceit in today’s technology scene; The open-source software ecosystem where victims fall prey to the Goldilocks Syndrome of software customizations and home-grown functionality. This guide aims to uncover the deepest darkest secrets of this treacherous path and yet intentionally offers no hopes or viable solutions at all…except one.

CAS 5.1.x User Swap - Cause and Analysis

Travis Schmidt shares an analysis of chasing down a bug in CAS 5.1.x where user identities were swapped.

Summer 2017 uPortal Roadmap Update

Primarily summarizing the Open Apereo 2017 uPortal Roadmap BOF.

Interrupt CAS With Class

An overview of a recent CAS 5.2.x feature that allows one to interrupt the authentication flow with notifications and advertisements, dictating CAS should treat the authenticated session with configuration and compassion.