CAS Vulnerability Disclosure


Overview

This is the public version of an Apereo CAS project vulnerability disclosure describing an issue in CAS where an adversary may be able to bypass certain administrative endpoints, in spite of CAS access rule in place. The following administrative endpoints are exposed and vulnerable to this attack:

  • /configserver/
  • /cas/status/metrics

Affected Deployments

The attack vector specifically applies to all deployments of CAS 5.0.x deployments. If you have deployed any version of CAS 5.0.x, you MUST take action to upgrade. If you have deployed any other versions of CAS, disregard this announcement.

Severity

This is a serious issue where successfully exercising this vulnerability allows the adversary gain insight into the running CAS software, collect stats and metrics and potentially observe the collection of configured CAS settings in configuration files.

Patching

Patch releases are available to address CAS 5.0.x deployments. Upgrades to the next patch version for each release should be a drop-in replacement. The patch simply ensures that the exposed endpoints honor the CAS access rules, and otherwise block attempts. When you have applied the patch, please double check all endpoints and ensure access is appropriately controlled.

Timeline

The issue was originally reported to the CAS application security team on February 20, 2017. Upon confirmation, CAS was patched on February 22, 2017 and released. The original release announcement is available here.

Procedure

Update Version

Modify your CAS overlay to point to version 5.0.3.1. A snippet of a pom.xml for a CAS overlay follows:

<dependencies>
    <dependency>
        <groupId>org.jasig.cas</groupId>
        <artifactId>cas-server-webapp</artifactId>
        <version>${cas.version}</version>
        <type>war</type>
        <scope>runtime</scope>
    </dependency>
</dependencies>

<properties>
    <cas.version>5.0.3.1</cas.version>
</properties>

Double check your cas.properties file for the following setting:

# cas.adminPagesSecurity.ip=the-authorized-ip-pattern

Adjust Overlay

If your CAS build has overlaid the src/main/resources/bootstrap.properties file, make sure the following line is corrected there:

spring.cloud.config.server.prefix=/status/configserver

Alternatives

If you are unable to apply the patch, it’s then best to ensure the outlined endpoints are blocked completely via load balancers, proxies, firewalls, etc.

Support

If you have questions on the details this vulnerability and how it might be reproduced, please contact security@apereo.org or cas-appsec-public@apereo.org.

Resources

Related Posts

CAS 6.0.0 RC1 Feature Release

...in which I present an overview of CAS 6.0.0 RC1 release.

Get Productive with Shell Aliases

A collection of useful shell aliases, gathered over the years to help increase one's productivity and developer happiness.

feat(conventional_commits): signal breaking changes in commit titles

In which I suggest Conventional Commits should be enhanced to reflect the breakingness of commits in their commit message titles.

uPortal annual report, June 2018 edition

Ecoysystem. Releases. Community. Fiscal responsibility.

One Can Only Hope in Buchistan

A true story inspired by real events. Seriously. Bryan Cranston has been approached for the role of "Some".

Apereo CAS - Extending Webflows

Learn and master extending CAS 5 Spring Webflow definitions.

Apereo CAS - Administrative Endpoints & Monitoring

Gain insight into your running Apereo CAS deployment in production. Learn how to monitor and manage the server by using HTTP endpoints and gather metrics to diagnose issues and improve performance.

Apereo CAS - Custom Authentication & Attribute Sources

Master writing custom authentication handlers/schemes in CAS and learn how to design custom data sources that can produce user claims and attributes.

Apereo CAS - User Interface Customizations

A short tutorial on Apereo CAS user interface customizations, including themes, localization and dynamic views for all those who enjoy front-end development and suffer from instant gratification.

CAS Multifactor Authentication with Google Authenticator

A short walkthrough to demonstrate how one might turn on multifactor authentication with CAS using Google Authenticator, leveraging a variety of triggers.