#VU18091 Improper Authentication in mod_auth_mellon - CVE-2019-3878

Cybersecurity Help s.r.o.

Published: 2019-03-28

Vulnerability identifier: #VU18091

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-3878

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
mod_auth_mellon
Server applications / Other server solutions

Vendor: UNINETT

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error when processing certain headers. A remote attacker can add special HTTP headers that are normally used to start the special SAML ECP, bypass authentication process and gain unauthorized access to the application.

Successful exploitation of the vulnerability requires that Apache is configured as a reverse proxy and mod_auth_mellon is configured to only let through authenticated users.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

mod_auth_mellon: 0.4.0 - 0.14.1

External links
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3878
https://github.com/Uninett/mod_auth_mellon/pull/196

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Amazon Linux AMI update for mod24_auth_mellon

Multiple vulnerabilities in mod_auth_mellon Apache module

Ubuntu update for mod_auth_mellon