CAS Vulnerability Disclosure


Overview

This is the public version of an Apereo CAS project vulnerability disclosure, describing an issue in CAS where an adversary may be able to bypass the second factor (token) although MFA is requested during the login process.

This issue applies to all MFA providers except the Duo provider (which is therefore NOT vulnerable).

Affected Deployments

The attack vector applies to all deployments of the CAS server for the versions:

  • 5.3.0, 5.3.1 and 5.3.2
  • lower or equal to 5.2.6.

If you have deployed the version 5.3.0, 5.3.1 or 5.3.2, you MUST upgrade to the version 5.3.3.

If you have deployed a version lower or equal to version 5.2.6, you MUST upgrade to the version 5.2.7.

Severity

This is a serious issue where successfully exercising this vulnerability allows the adversary to bypass the second factor (token) required by the MFA policy. This makes any MFA configuration to re-inforce security completely useless.

Patching

Patch releases are available to address CAS vulnerable deployments. Upgrades to the next patch version for each release should be a drop-in replacement. The patch simply ensures that the MFA factor (token) is effectively required when MFA is requested.

Timeline

The issue was originally reported to the CAS application security team on August, 2018 and upon confirmation, CAS was patched.

Procedure

Modify your CAS overlay to point to the version 5.2.7 or 5.3.3. A snippet of a pom.xml for a CAS overlay follows:

<dependencies>
    <dependency>
        <groupId>org.apereo.cas</groupId>
        <artifactId>cas-server-webapp</artifactId>
        <version>${cas.version}</version>
        <type>war</type>
        <scope>runtime</scope>
    </dependency>
</dependencies>

<properties>
    <cas.version>5.3.3</cas.version>
</properties>

Support

If you have questions on the details of this vulnerability and how it might be reproduced, please contact security@apereo.org or cas-appsec-public@apereo.org.

Resources

Jérôme LELEU

Related Posts

CAS 6.1.0 RC2 Feature Release

...in which I present an overview of CAS 6.1.0 RC2 release.

Apereo CAS as an OAuth2 Authorization Server

Learn how to configure CAS as an OAuth2 Authorization Server and configure Spring Boot client app to work with it

Apereo CAS - SAML2 Identity Provider Integration w/ Gitlab (also staring HAProxy and LDAP)

Learn how Apereo CAS may act as a SAML2 identity provider for Gitlab and run everything locally on a workstation with Docker and Java.

Apereo CAS - Keeping Healthy with Spring Boot

Learn how you may keep your Apereo CAS deployment healthy, monitoring its status using Spring Boot actuator endpoints and health indicators.

CAS 6.1.0 RC1 Feature Release

...in which I present an overview of CAS 6.1.0 RC1 release.

Apereo CAS - SAML2 Identity Provider Integration w/ InCommon

Learn how Apereo CAS may act as a SAML2 identity provider to integrate with service providers from metadata aggregates such as InCommon with various attribute release policies for research and scholarship, etc.

CAS 6.1.x Deployment - WAR Overlays

Learn how to configure and build your own CAS deployment via the WAR overlay method, get rich quickly, stay healthy indefinitely and respect family and friends in a few very easy steps.

Apereo CAS - Have you been pawned?

Learn how Apereo CAS may be configured to check for pawned passwords and warn the user, using the haveibeenpawned.com service

Apereo CAS - OohLala Mobile SAML2 Integration

Learn how to integrate OohLala Mobile with Apereo CAS running as a SAML2 identity provider.

Apereo CAS - Cranium Cafe SAML2 Integration

Learn how to integrate Cranium Cafe with Apereo CAS running as a SAML2 identity provider.