Jan 19, 2021, 8:38:11 AMJan 19
We've just released versions 6.3.7 and 6.4.2 of Engineblock, which addresses a security flaw that
has been identified last week. If you use the "trusted proxy" functionality of Engineblock (e.g.
when you use the OpenID Connect gateway) you are urged to patch your systems as soon as possible.
The flaw has been discovered by our collegue Bas Zoetekouw. It allows a user to log in to an SP
using an IdP that is not on the whitelist of that SP. It is only triggered when the SP is behind a
trusted proxy (e.g. for OIDC services). The bug is triggered as follows:
1) The user starts an authentication request from an SP behind a trusted proxy (like oidc)
2) The user manipulates the POST in the WAYF, to select an IdP that is not present in the WAYF. The
IdP needs to be on the whitelist of the trusted proxy itself
3) The user logs in at the IdP using their credentials (which means they need to have an account there)
4) The user comes back with a valid assertion. EB checks if the IdP is on the whitelist of the
trusted proxy, but not whether it's on the whitelist of the proxied SP itself, and lets the user
If you don't use the trusted proxy functionality, or the IdP whitelist on the proxied SPs match
those of the proxy itself this bug does not affect you.
Let us know if there are any questions.
Special thanks go to Michiel Kodde, who found some time to open his laptop and build and release
this patch, while on holiday and busy remodelling his new home.
Regards and keep safe,