Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Ruby CryptoMiner; Meltdown Patch Performans Impact in AWS; Shiboleth 2 SAML Attribute Truncation - Internet Security | DShield Ruby CryptoMiner; Meltdown Patch Performans Impact in AWS; Shiboleth 2 SAML Attribute Truncation


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
podcast logo

ISC StormCast for Tuesday, January 16th 2018

A daily summary of cyber security news from the SANS Internet Storm Center
Author:Johannes B. Ullrich, Ph.D.
See below for a schedule of classes I teach.
Created: Tuesday, January 16th 2018
Length: 5:49 minutes
Today's Headline: Ruby CryptoMiner; Meltdown Patch Performans Impact in AWS; Shiboleth 2 SAML Attribute Truncation

If you like this podcast, then please consider telling others about it. Use this button to Tweet about this episode: click here. Errors? Corrections? Complaints? Player Problems? Please let us know here: https://isc.sans.edu/contact.html

Plain HTML5 Player
Fancy Player (with skip back/forward)

Show Notes

Systems Infected Via CryptoMiner Written in Ruby
https://research.checkpoint.com/rubyminer-cryptominer-affects-30-ww-networks/

Solarwinds Measures Spectre/Meltdown Patch Performance Impact
https://blog.appoptics.com/visualizing-meltdown-aws/

Seagate Patches Critical CSRF Vulnerability in its Personal Cloud Drives
https://blogs.securiteam.com/index.php/archives/3548

Shiboleth SAML Attribute Truncation
https://www.redteam-pentesting.de/en/advisories/rt-sa-2017-013/-truncation-of-saml-attributes-in-shibboleth-2

Discussion

The Shibboleth vulnerability is quite interesting. In their example, the SAML signature covers the entire and they've made modifications to it (the changes to the uid) that should cause the signature to fail validation. This vulnerability speaks to larger architectural issues with Shibboleth. Obviously the signature validation is happening on a DIFFERENT document (the inline DTD defs are resolved and replaced) than the attribute extraction code works on (the inline DTD variables are not replaced). This is a HUGE no no and leads to the confused deputy issues that caused the vulnerability. I would bet other SP SAML parsing code is making similar mistakes.
Posted by Anonymous on Tue Jan 16 2018, 16:54

Login here to join the discussion.

Interested in attending one of my classes? See below for my current schedule.