On January 27, 2016, an issue was reported that identified a vulnerability in the UMA protocol. The UMA Work Group immediately set about analyzing the attack, possible mitigations under consideration, and similar cases; choosing an optimal mitigation; and developing specification text defining that mitigation. This companion non-normative document provides additional background information.
Familiarity with UMA terms and concepts is recommended for reading this document.
Many thanks to the submitters of the issue and the Work Group for its quick action!
Here is a high-level description of the problem and the solution, suitable for end-users of online services. (You don't need familiarity with UMA terms and concepts to read this section.)
Alice wants to share a photo with Bob, and only Bob. Eve would like to see the photo, but she is not allowed. Alice stores the photo on her resource server and protects it with her authorization server. She sets a policy stating that only Bob should have access to the photo.
In order for Bob to get access to the photo, the following three steps would be completed:
Bob begins his transaction by requesting the photo.
Eve would like to access the photo as well. She completes the following steps:
The attacker must know the victim and successfully trick him for this attack to be successful. Also, some authorization services could choose other ways to let Bob be identified automatically, without having to visit the authorization service, and these others ways is not susceptible to the attack. The UMA Work Group has developed an UMA extension specification that authorization services have the option to implement if they determine this level of enhanced security is appropriate for their circumstances.
Thanks to Sarah Squire for contributing this writeup!
See the complete attack sequence in the UMA Claims-Gathering Extension for Enhanced Security.
The attack relies on the attacker initiating the resource access attempt, phishing the legitimate requesting party into completing one or more claims-gathering flows at the authorization server, and then taking over the session once again to accept an RPT that contains the desired authorization data that allows inappropriate access to the resource.
Because the victim's client already has an AAT, the victim will notice nothing wrong; it will look like he's supplying claims to help launch a client he knows and trusts. In the case of long-lived cookies for, say, social networks, the victim’s claims could even be provided to the authorization server automatically through single sign-on. In the case of the attacker controlling the victim's network access, the client will not even see a spurious/failed request.
The reason the attacker is able to construct a successful RPT request after the victim has completed the necessary one or more claims-gathering cycles is that every parameter – state, authorization_state, and ticket – is known in advance. Analyzing which could help distinguish the context:
state parameter provides no support to distinguish the attacker's transaction context and the victim's context. The victim's client simply fails when attempting to continue seeking access because the session was initiated by the attacker. The transaction context of record is the attacker's.ticket parameter provides no support to distinguish the two contexts because UMA V1.0 and V1.0.1 (and possible future minor versions) require its value to be the same across the entire process of claims-gathering when a requesting party is seeking access to a particular resource. It could be said that the root problem of the session fixation is in the "fixed" nature of permission tickets in the cycle of 1) requesting party claims endpoint usage with a ticket parameter and 2) the response from the AS with the same ticket parameter repeated.The UMA Work Group has provided a mitigation of this attack in the form of a draft extension specification.
The mitigation involves a new requesting party claims endpoint at the authorization server that behaves differently from the original one, in that it returns a ticket parameter value that is unguessable rather than the same value it was given originally; the authorization server also invalidates the original ticket. This has the effect of adding entropy to the round-trip permission ticket cycle during the claims-gathering flow, foiling an attacker's ability to know all the information necessary to simulate a true requesting party's request for an RPT and authorization data in step 7 in the attack sequence.
The extension specification has been designed to sit alongside the versions of UMA extant at the time of the extension's writing (UMA V1.0 and UMA V1.0.1) and to be usable with authorization servers using these versions and any similar version susceptible to the identical attack. The specification is a true extension in that its requirements supersede several requirements in the original specifications of the UMA protocol. As the Work Group works on its 2016 roadmap items, it will take into consideration how to fold this and any other extension specifications into future versions of the main UMA specifications.
The following mitigation proposals were analyzed and found technically unsuitable.
The following mitigation proposals were found unsuitable for the Work Group to specify formally for various reasons.
need_info responses) as a method of sufficiently distinguishing attacker and victim transaction context to mitigate the session fixation attack. For example, if the authorization server needed requesting party Bob to meet two policy conditions, one regarding his strongly authenticated identity which could be met through knowledge of AAT session context, and another regarding his current professional certification status which could only be met through an interactive claims-gathering flow at a certifying body, this combination could be apropos. However, the authentication context-based method must be sufficient to deny access to the attacker; not every UMA ecosystem will find such combinations fit for their trust elevation purposes; and even in those cases, no formal specification of this method of mitigating the attack seems warranted.To read about other types of attacks for which strong authentication through authentication context-based trust elevation may apply, see this section of the UMA Security Considerations.