CVE-2022-39369

Publication date 1 November 2022

Last updated 31 July 2024


Ubuntu priority

Cvss 3 Severity Score

8.0 · High

Score breakdown

phpCAS is an authentication library that allows PHP applications to easily authenticate users via a Central Authentication Service (CAS) server. The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to "^(https)://.*") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied. This vulnerability may allow an attacker to gain access to a victim's account on a vulnerable CASified service without victim's knowledge, when the victim visits attacker's website while being logged in to the same CAS server. phpCAS 1.6.0 is a major version upgrade that starts enforcing service URL discovery validation, because there is unfortunately no 100% safe default config to use in PHP. Starting this version, it is required to pass in an additional service base URL argument when constructing the client class. For more information, please refer to the upgrading doc. This vulnerability only impacts the CAS client that the phpCAS library protects against. The problematic service URL discovery behavior in phpCAS < 1.6.0 will only be disabled, and thus you are not impacted from it, if the phpCAS configuration has the following setup: 1. `phpCAS::setUrl()` is called (a reminder that you have to pass in the full URL of the current page, rather than your service base URL), and 2. `phpCAS::setCallbackURL()` is called, only when the proxy mode is enabled. 3. If your PHP's HTTP header input `X-Forwarded-Host`, `X-Forwarded-Server`, `Host`, `X-Forwarded-Proto`, `X-Forwarded-Protocol` is sanitized before reaching PHP (by a reverse proxy, for example), you will not be impacted by this vulnerability either. If your CAS server service registry is configured to only allow known and trusted service URLs the severity of the vulnerability is reduced substantially in its severity since an attacker must be in control of another authorized service. Otherwise, you should upgrade the library to get the safe service discovery behavior.

Read the notes from the security team

Status

Package Ubuntu Release Status
moodle 24.04 LTS noble Not in release
22.04 LTS jammy Not in release
20.04 LTS focal Not in release
18.04 LTS bionic Ignored see notes
16.04 LTS xenial Ignored see notes
ocsinventory-server 24.04 LTS noble
Not affected
22.04 LTS jammy
Fixed 2.8.1+dfsg1-1ubuntu0.1
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial Ignored see notes
php-cas 24.04 LTS noble
Not affected
23.10 mantic
Not affected
23.04 lunar
Not affected
22.10 kinetic Ignored end of life, was needed
22.04 LTS jammy
Fixed 1.3.8-1ubuntu0.22.04.1
20.04 LTS focal
Fixed 1.3.8-1ubuntu0.20.04.1
18.04 LTS bionic Ignored see notes
16.04 LTS xenial
14.04 LTS trusty Ignored end of standard support

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Notes


federicoquattrin

The upstream update is not backward compatible. Some packages, including fusiondirectory for bionic, will need manual intervention during the upgrade, leaving users unable to log in until that happens. Moodle is experiencing PHP compatibility issues in bionic and is not working in xenial. OCS Inventory for Xenial is not compatible with PHP7, the version distributed in Xenial. Therefore we are not going to fix them.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
moodle
php-cas

Severity score breakdown

Parameter Value
Base score 8.0 · High
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

Other references