CVE-2013-6440 in OpenSAML
Summary
by MITRE
The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/07/2019
The vulnerability identified as CVE-2013-6440 affects the Shibboleth OpenSAML-Java library versions prior to 2.6.1, specifically impacting four critical components including BasicParserPool, StaticBasicParserPool, XML Decrypter, and SAML Decrypter. This flaw represents a significant security weakness that enables remote attackers to exploit XML external entity processing mechanisms through carefully crafted XML documents containing malicious DOCTYPE declarations. The vulnerability stems from the improper configuration of the expandEntityReferences property, which when set to true creates an opening for attackers to manipulate XML parsing behavior and potentially execute unauthorized actions.
The technical implementation of this vulnerability resides in the XML parsing configuration within the OpenSAML-Java library where the expandEntityReferences property is configured to true by default. This configuration allows the XML parser to resolve external entities and process external references contained within XML documents. When an attacker submits a malicious XML document containing a DOCTYPE declaration with external entity references, the parser will attempt to resolve these entities, potentially leading to information disclosure, denial of service, or even remote code execution depending on the target system's configuration. The vulnerability aligns with CWE-611, which specifically addresses improper restriction of XML external entity references, and represents a classic XXE attack vector that has been documented extensively in cybersecurity literature.
The operational impact of this vulnerability extends across organizations relying on Shibboleth identity federation services, particularly those implementing SAML-based authentication systems. Attackers could exploit this weakness to gain unauthorized access to internal systems, extract sensitive data through entity resolution, or disrupt service availability by triggering resource exhaustion through malicious entity references. The vulnerability affects both XML and SAML decryption processes, making it particularly dangerous for identity providers and service providers that process external authentication requests. Organizations using affected versions of OpenSAML-Java may experience unauthorized access to their authentication infrastructure, potentially compromising user credentials and system integrity.
Mitigation strategies for CVE-2013-6440 require immediate patching of affected OpenSAML-Java libraries to version 2.6.1 or later where the expandEntityReferences property has been properly configured to prevent external entity expansion. Security administrators should also implement additional defensive measures including network-level filtering of XML traffic, XML parser configuration hardening to disable external entity resolution, and comprehensive monitoring of authentication requests for suspicious patterns. Organizations should conduct thorough vulnerability assessments to identify all systems utilizing affected OpenSAML-Java versions and ensure proper configuration of XML processing components to prevent XXE attack vectors. The remediation process should also include reviewing and updating security policies around XML processing and entity handling, aligning with industry best practices for secure XML parsing as outlined in various cybersecurity frameworks and standards.