SB2021060416 - Missing signature validation in SOGo
Published: June 4, 2021 Updated: December 27, 2021
Security Bulletin ID
SB2021060416
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2021-33054)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to missing validation of digital signatures for SAML messages. A remote attacker can impersonate users application users when SAML is the authentication method.
Remediation
Install update from vendor's website.
References
- https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md
- https://www.sogo.nu/news.html
- https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html
- https://lists.debian.org/debian-lts-announce/2021/07/msg00007.html
- https://www.debian.org/security/2021/dsa-5029