CAS Vulnerability Disclosure


Overview

This is the public version of an Apereo CAS project vulnerability disclosure, describing an issue in CAS where an adversary may be able to bypass the second factor (token) although MFA is requested during the login process.

This issue applies to all MFA providers except the Duo provider (which is therefore NOT vulnerable).

Affected Deployments

The attack vector applies to all deployments of the CAS server for the versions:

  • 5.3.0, 5.3.1 and 5.3.2
  • lower or equal to 5.2.6.

If you have deployed the version 5.3.0, 5.3.1 or 5.3.2, you MUST upgrade to the version 5.3.3.

If you have deployed a version lower or equal to version 5.2.6, you MUST upgrade to the version 5.2.7.

Severity

This is a serious issue where successfully exercising this vulnerability allows the adversary to bypass the second factor (token) required by the MFA policy. This makes any MFA configuration to re-inforce security completely useless.

Patching

Patch releases are available to address CAS vulnerable deployments. Upgrades to the next patch version for each release should be a drop-in replacement. The patch simply ensures that the MFA factor (token) is effectively required when MFA is requested.

Timeline

The issue was originally reported to the CAS application security team on August, 2018 and upon confirmation, CAS was patched.

Procedure

Modify your CAS overlay to point to the version 5.2.7 or 5.3.3. A snippet of a pom.xml for a CAS overlay follows:

<dependencies>
    <dependency>
        <groupId>org.apereo.cas</groupId>
        <artifactId>cas-server-webapp</artifactId>
        <version>${cas.version}</version>
        <type>war</type>
        <scope>runtime</scope>
    </dependency>
</dependencies>

<properties>
    <cas.version>5.3.3</cas.version>
</properties>

Support

If you have questions on the details of this vulnerability and how it might be reproduced, please contact security@apereo.org or cas-appsec-public@apereo.org.

Resources

Jérôme LELEU

Related Posts

CAS 6.1.0 RC4 Feature Release

...in which I present an overview of CAS 6.1.0 RC4 release.

Apereo CAS - Multifactor Provider Selection

Learn how to configure CAS to integrate with and use multiple multifactor providers at the same time. This post also reveals a few super secret and yet open-source strategies one may use to select appropriate providers for authentication attempts, whether automatically or based on a menu.

Apereo CAS - Dockerized Hazelcast Deployments

Learn how to run CAS backed by a Hazelcast cluster in Docker containers and take advantage of the Hazelcast management center to monitor and observer cluster members.

Apereo CAS - Configuration Security w/ Jasypt

Learn how to secure CAS configuration settings and properties with Jasypt.

CAS 6.1.0 RC3 Feature Release

...in which I present an overview of CAS 6.1.0 RC3 release.

Apereo CAS - Webflow Decorations

Learn how you may decorate the Apereo CAS login webflow to inject data pieces and objects into the processing engine for display purposes, peace on earth and prosperity of all mankind, etc. Mainly, etc.

Apereo CAS - SAML2 Metadata Query Protocol

Learn how you may configure Apereo CAS to fetch and validate SAML2 metadata for service providers from InCommon's MDQ server using the metadata query protocol.

Saving Time is Time Consuming

May you live in the best of times. May you live in the startup times.

Apereo CAS 6.1.x - Credential Caching & Proxy AuthN

Learn how you may configure Apereo CAS to capture and cache the credential's password and the proxy-granting ticket in proxy authentication scenarios, pass them along to applications as regular attributes/claims. We will also be reviewing a handful of attribute release strategies that specifically affect authentication attributes, conveying metadata about the authentication event itself.

Apereo CAS 6.1.x - Attribute Repositories w/ Person Directory

An overview of CAS attribute repositories and strategies on how to fetch attributes from a variety of sources in addition to the authentication source, merge and combine attributes from said sources to ultimately release them to applications with a fair bit of caching.