CAS Vulnerability Disclosure


Overview

This is the initial version of an Apereo CAS project vulnerability disclosure, describing an issue in CAS that affects multifactor authentication using the mfa-simple mode. All other multifactor authentication integrations are unaffected by this vulnerability.

When CAS is configured to act as a multifactor authentication provider in mfa-simple mode, the validation process that accepts a token from the user is not enforcing token ownership. As a result, any valid token that may not have been issued to the user could be used as he multifactor authentication token to successfully complete the authentication transaction.

Credits

Special thanks to Pavlos Drandakis, member of the GUnet Identity Team for originally reporting the issue to the CAS application security group as well as preparing and contributing an immediate fix.

Affected Deployments

The attack vector applies to deployments of the CAS server for the following versions:

- 6.0.x
- 6.1.x

Severity

To fully exercise a breach, an attacker must have already obtained a valid multifactor authentication token issued by CAS. The attacker would then need to somehow hijack the user’s in-progress authentication attempt, or have access to their credentials already to login, and supply their own token instead of one issued to and shared with the active user.

The severity of this issue is considered medium for CAS. It is recommended that upgrades be carried out to removes any chances of security breaches.

Patching

Patch releases are available to address CAS deployments. Upgrades to the next patch version for each release should be a drop-in replacement.

Timeline

The issue was originally reported to the CAS application security team on November 21st, 2019 and upon confirmation, CAS was patched on November 22nd.

Procedure

6.0.x

Modify your CAS overlay to point to the version 6.0.7. A snippet of a gradle.properties for a CAS overlay follows:

cas.version=6.0.7

6.1.x

Modify your CAS overlay to point to the version 6.1.2. A snippet of a gradle.properties for a CAS overlay follows:

cas.version=6.1.2

6.2.x

Modify your CAS overlay to point to the version 6.2.0-RC1, when released. A snippet of a gradle.properties for a CAS overlay follows:

cas.version=6.2.0-RC2

Support

CAS is Apache v2 open source software under the sponsorship of the Apereo Foundation, supported by community volunteers and enthusiasts. Support options may be found here.

Resources

On behalf of the CAS Application Security working group,

Misagh Moayyed

Related Posts

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

Apereo CAS is now on Develocity

An overview of how Apereo CAS is using Gradle and Develocity to improve its build and test execution cycle.

CAS OAuth/OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OAuth/OpenID Connect provider.

CAS Groovy Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software when using Groovy.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the Apereo CAS software acting as an OpenID Connect Provider.

CAS X.509 Vulnerability Disclosure

Disclosure of a security issue with the CAS software and its X.509 features.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.

CAS OpenID Connect Vulnerability Disclosure

Disclosure of a security issue with the CAS software acting as an OpenID Connect Provider.