IA finds and fixes Shibboleth vulnerability

Ross Geerlings, data security analyst. (Brandon Bailey)

Imagine not being able to log in to your U-M GMail and Calendar—or Box at U-M, Canvas, and more. That might have been a risk if an attacker had exploited a previously unknown Shibboleth vulnerability. Within minutes, the attacker could have broadly disrupted logins at U-M and across higher education. Thankfully, that didn’t happen.

While doing a routine penetration test for a U-M unit, Ross Geerlings, an Information Assurance (IA) data security analyst, noticed that the Shibboleth Service Provider (SP) software on the machine he was testing had stopped working. (That software allows users of a service to log in using Shibboleth via the U-M Weblogin page.) After further testing, he confirmed a denial-of-service vulnerability.

Next, Geerlings built the Shibboleth SP application from source code on an ITS server and debugged it. He figured out the exact problem within the Shibboleth SP source code and how to fix it. He provided the Shibboleth Consortium with those details, along with a proof-of-concept Python script that caused a crash on any vulnerable Shibboleth SP.

IA informed the U-M community immediately: IA Alert: Update Shibboleth SP software for critical vulnerability (3/11/19), and the Shibboleth Consortium released a patch to fix the vulnerability within a few days.

Contact the ITS Service Center to request a penetration test. An IA staff member will meet with you to determine the test parameters and scope, as well as other details. Testing targets might include websites, applications, infrastructure components, hosting environments, and more.