An OpenID message can be modified to contain unsigned attributes that will be accepted by a relying party because Tivoli Federated Identity Manager (TFIM) does not check that all attributes have been signed.
An OpenID identity provider can send attributes about a user to a relying party via the "simple registration extension" (SREG) or "attribute exchange extension" (AX). The response from the OpenID provider to the relying party is transmitted via a browser redirect. The response also contains an attribute
called "openid.signed" which outlines which parameters in the response are signed by the OpenID provider.
When TFIM receives an OpenID attribute via SREG or AX it does not check to determine if the attribute is signed. It could therefore be possible for an attacker either acting as a man-in-the-middle or at the browser to insert unsigned attributes which were not sent by the OpenID provider and have the relying party accept them. The attack does not require local network access nor does it require authentication, but specialized knowledge and techniques are required. An exploit will not impact accessibility of system resources or the confidentiality of information, but the integrity of some of the data used in the OpenID exchange could be compromised. The consequence of this compromise is dependent on the nature and use of the OpenID attributes by the consuming applications.
CVSS Base Score:4.3
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Details: http://xforce.iss.net/xforce/xfdb/77790
Tivoli Federated Identity Manager versions 6.2.0, 6.2.1, 6.2.2
Vendor Fixes: Patches and installation instructions are provided at the URLs listed below.
Complete CVSS Guide
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.