Skip to Content.
Sympa Menu

inc-ops-notifications - [InCommon NOTICE] Delegated administration security fix in place

Subject: InCommon Operations Notifications

List archive

[InCommon NOTICE] Delegated administration security fix in place


Chronological Thread 
  • From: Nick Roy <>
  • To:
  • Subject: [InCommon NOTICE] Delegated administration security fix in place
  • Date: Wed, 2 Aug 2017 13:05:38 -0600
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:6SzxFh2MxoxF2x1ZsmDT+DRfVm0co7zxezQtwd8ZseIRKvad9pjvdHbS+e9qxAeQG96Ku7Qc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q89pDXYAhEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7S60/Vza/4KdxUBLmlicJOSM6/m/ZhMN/g75Urh2gpxFk347ZYpuYOOZicq7Tf94XQ3dKUMZLVyxGB4Oxd5MBD+sdMuZbsoLzu1wOrBujDgSrAuPv0DhIh3/t0K071eQhDR/J3BYmH90QrHTYss/5O7kPXuCo1aTFyyjIYfBO2Trl9YTEbh8sreuDUL9ya8bcxlQjGxnBg1iesYDpITKY2vgQv2We8eZtVuyihmsopg1vvjSj2MIhhZTJi44Jz13I6Dl1zYcrKtC9R0N0e8SrHZhVui6BK4R7Qd4uTmR0tys01LILu5i2dzUQxps93R7QcfmHfpCI4h39UOaRJi91imp5dby4mxq//1GsxOP7WMS6yVpKqTFKncfWunAKyhzT9tOISvxg/kenxDmDzRjT6vtDIUAoi6XUN4Ihwr83lpoVq0jDGTL2mFnyjK+RcUUk+fKk5PjgYrXjvpOcNol0hR/iMqk2h8CzHes1PhIBUmWZ4+ix26Dv8Vf9TbhElvE2l7PWsJHeJcQVvK65BApV354l6xalCDen0M8VnXgBLFJZZh2HlY7pNE/SIPzmF/uwnUmjkCpzy/DcIrLhGonNLmTEkLr5fLZ97VJTyA02zdBa4JJUDKsNIPXpWk/+rdDYDxk5PBCtz+bgENV9zZoSWWSIAq+FMaPSv16I6f41LOmQZY8VvzD9K+M+6v7qjH85gkMdfbK30ZcNaXC4GOhmLFuDYXrqnNgBDXkGshAgQ+P3lV3RGQJUMne0VOc7/ip+DoW6DInCTYmxgbuHxw+6GJZRY2VBDBaLC3i7WZ+DXqIqaSmRavVmg3RQU6KmWqcg0w2jrgn31+AhI+bJrH5L/an/3cR4srWA3So58iZ5WpyQ
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Hello,

On Wednesday, August 2, a delegated SP metadata administrator in the
InCommon Federation Manager reported the ability to access their
delegated SP metadata without supplying a password, and bypassing
federated authentication. This would potentially allow an attacker who
knew the federated user ID of a delegated administrator to try to modify
SP metadata to which that delegated administrator had been granted
access by their InCommon Site Administrator. Actual modification of
such metadata would have to be approved by both the Site Administrator
and InCommon staff, so there are two checks in place to prevent this
unauthorized tampering.

InCommon operations staff immediately patched the Federation Manager
database to prevent further such action, and the InCommon Federation
Manager development team has built a permanent fix and regression tests
in the application. This permanent fix was immediately deployed to
production. We will be writing up a full incident report on the issue
in the coming weeks, and sharing that with InCommon participants.

In the meantime, please address any questions you may have to me, at
.

Thank you,

Nick Roy
Director of Technology and Strategy, InCommon



  • [InCommon NOTICE] Delegated administration security fix in place, Nick Roy, 08/02/2017

Archive powered by MHonArc 2.6.19.

Top of Page