The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of CAS Server

computer vulnerability note 20739

Jasig CAS Server: privilege escalation via statistics

Synthesis of the vulnerability

An attacker can use statistics pages of Jasig CAS Server, in order to escalate his privileges.
Impacted products: CAS Server.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, data reading.
Provenance: intranet client.
Creation date: 30/09/2016.
Revision date: 25/10/2016.
Identifiers: VIGILANCE-VUL-20739.

Description of the vulnerability

The Jasig CAS Server product offers a web service.

However, the following pages are public:
 - /statistics/ping
 - /statistics/threads
 - /statistics/metrics
 - /statistics/healthcheck
 - /statistics/ssosessions

An attacker can therefore use statistics pages of Jasig CAS Server, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-4852 CVE-2015-6420 CVE-2015-6934

Apache Commons Collections: code execution via InvokerTransformer

Synthesis of the vulnerability

An attacker can send a malicious serialized Gadget Chain object to a Java application using Apache Commons Collections, in order to run shell code.
Impacted products: CAS Server, Blue Coat CAS, SGOS by Blue Coat, Brocade Network Advisor, Brocade vTM, ASA, AsyncOS, Cisco ESA, Cisco Prime Access Registrar, Prime Infrastructure, Cisco Prime LMS, Cisco PRSM, Secure ACS, Cisco CUCM, Cisco Unified CCX, Cisco MeetingPlace, Cisco Unity ~ precise, Debian, BIG-IP Hardware, TMOS, HPE BSM, HPE NNMi, HP Operations, DB2 UDB, Domino, Notes, IRAD, QRadar SIEM, SPSS Modeler, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere AS Traditional, JBoss AS OpenSource, Junos Space, ePO, Mule ESB, Snap Creator Framework, SnapManager, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Oracle OIT, Solaris, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, RHEL, JBoss EAP by Red Hat, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Unix (platform) ~ not comprehensive, vCenter Server.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 12.
Creation date: 12/11/2015.
Identifiers: 1610582, 1970575, 1971370, 1971531, 1971533, 1971751, 1972261, 1972373, 1972565, 1972794, 1972839, 2011281, 7014463, 7022958, 9010052, BSA-2016-004, bulletinjul2016, c04953244, c05050545, c05206507, c05325823, c05327447, CERTFR-2015-AVI-484, CERTFR-2015-AVI-555, cisco-sa-20151209-java-deserialization, COLLECTIONS-580, cpuapr2017, cpuapr2018, cpujan2017, cpujan2018, cpujul2017, cpuoct2016, cpuoct2017, cpuoct2018, CVE-2015-4852, CVE-2015-6420, CVE-2015-6934, CVE-2015-7420-ERROR, CVE-2015-7450, CVE-2015-7501, CVE-2015-8545, CVE-2015-8765, CVE-2016-1985, CVE-2016-1997, CVE-2016-4373, CVE-2016-4398, DSA-3403-1, HPSBGN03542, HPSBGN03560, HPSBGN03630, HPSBGN03656, HPSBGN03670, JSA10838, NTAP-20151123-0001, RHSA-2015:2500-01, RHSA-2015:2501-01, RHSA-2015:2502-01, RHSA-2015:2516-01, RHSA-2015:2517-01, RHSA-2015:2521-01, RHSA-2015:2522-01, RHSA-2015:2523-01, RHSA-2015:2524-01, RHSA-2015:2534-01, RHSA-2015:2535-01, RHSA-2015:2536-01, RHSA-2015:2537-01, RHSA-2015:2538-01, RHSA-2015:2539-01, RHSA-2015:2540-01, RHSA-2015:2541-01, RHSA-2015:2542-01, RHSA-2015:2547-01, RHSA-2015:2548-01, RHSA-2015:2556-01, RHSA-2015:2557-01, RHSA-2015:2559-01, RHSA-2015:2560-01, RHSA-2015:2578-01, RHSA-2015:2579-01, RHSA-2015:2670-01, RHSA-2015:2671-01, RHSA-2016:0040-01, RHSA-2016:0118-01, SA110, SB10144, SOL30518307, VIGILANCE-VUL-18294, VMSA-2015-0009, VMSA-2015-0009.1, VMSA-2015-0009.2, VMSA-2015-0009.3, VMSA-2015-0009.4, VU#576313.

Description of the vulnerability

The Apache Commons Collections library is used by several Java applications.

A Java Gadgets ("gadget chains") object can contain Transformers, with an "exec" string containing a shell command which is run with the Java.lang.Runtime.exec() method. When raw data are unserialized, the readObject() method is thus called to rebuild the Gadgets object, and it uses InvokerTransformer, which runs the indicated shell command.

It can be noted that other classes (CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure) also execute a shell command from raw data to deserialize.

However, several applications publicly expose (before authentication) the Java unserialization feature.

An attacker can therefore send a malicious serialized Gadget Chain object to a Java application using Apache Commons Collections, in order to run shell code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 17944

Jasig CAS Server: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Jasig CAS Server, in order to run JavaScript code in the context of the web site.
Impacted products: CAS Server.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 21/09/2015.
Identifiers: VIGILANCE-VUL-17944.

Description of the vulnerability

The Jasig CAS Server product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Jasig CAS Server, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-1169

Jasig CAS Server: bypassing LDAP authentication via Wildcard

Synthesis of the vulnerability

An attacker can use the wildcard character on Jasig CAS Server, in order to ease a brute force attack on the LDAP directory.
Impacted products: CAS Server.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet client.
Creation date: 21/01/2015.
Identifiers: CVE-2015-1169, VIGILANCE-VUL-16020.

Description of the vulnerability

The Jasig CAS Server product uses a LDAP directory to store login/password of users.

However, if user "laurent" exists, an attacker can only enter "la*" with his valid password, to authenticate on the account.

An attacker can therefore use the wildcard character on Jasig CAS Server, in order to ease a brute force attack on the LDAP directory.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 14512

Jasig CAS Server: bypassing authentication via Google Accounts Integration

Synthesis of the vulnerability

An attacker can transmit malicious XML data to Jasig CAS Server with Google Accounts Integration, in order to bypass the authentication.
Impacted products: CAS Server.
Severity: 4/4.
Consequences: privileged access/rights, user access/rights.
Provenance: document.
Creation date: 02/04/2014.
Identifiers: VIGILANCE-VUL-14512.

Description of the vulnerability

The SAML (Security Assertion Markup Language) standard uses XML data to manage the authentication. The Jasig CAS Server product supports SAML 2.0/Google Accounts Integration.

An XML document can contain declarations. However, the java/org/jasig/cas/util/SamlUtils.java file of Jasig CAS Server does not forbid these declarations with "http://apache.org/xml/features/disallow-doctype-decl".

Technical details about the attack procedure are unknown.

An attacker can therefore transmit malicious XML data to Jasig CAS Server with Google Accounts Integration, in order to bypass the authentication.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about CAS Server: