Microsoft Security Advisory 3214296

Vulnerabilities in Identity Model Extensions Token Signing Verification Could Allow Elevation of Privilege

Published: January 10, 2017

Version: 1.0

Executive Summary

Microsoft is releasing this security advisory to provide information about a vulnerability in the public version of Identity Model Extensions 5.1.0. This advisory also provides guidance on what developers can do to help ensure that their apps are updated correctly.

Microsoft is aware of a security vulnerability in the public version of Microsoft.IdentityModel.Tokens 5.1.0 where tokens signed with symmetric keys could be vulnerable to tampering. If a token signed with a symmetric key is used to verify the identity of a user, and the app makes decisions based on the verified identity of that user, then the app could make incorrect decisions that result in elevation of privilege.

Developers are advised to update all apps to use package version 5.1.1 or greater.

Mitigating Factors

A token’s signature algorithm is specified by the identity provider an app is using to authenticate a user. Only symmetric signing algorithms are vulnerable to this issue, and no known public identity providers use symmetric signature algorithms. Tokens signed by identity providers using asymmetric signing algorithms are not vulnerable to key tampering.

ASP.NET templates shipped for use in Visual Studio do not bind against the vulnerable version of this package.

Microsoft encourages all developers to update their packages, regardless of whether they are used to validate tokens signed with a symmetric key algorithm, to protect against future use of the components by either themselves or third-party software.

Affected Software

A Microsoft .NET Core or .NET Framework project is affected by the vulnerability if it uses the package Microsoft.IdentityModel.Tokens version 5.1.0.

Affected package and version
Package name Package version
Microsoft.IdentityModel.Tokens 5.1.0

Advisory FAQ

How do I know if I am affected?
.NET has two different types of dependencies: direct and transitive. If your .NET Framework or .NET Core project has either a direct or transitive dependency on any of the affected packages listed in the “Affected Software” section, then it may be affected.

Direct Dependencies

Direct dependencies occur when you specifically add a package to your project. For example, if you add the Microsoft.IdentityModel.Tokens package to your project, then you have taken a direct dependency on Microsoft.IdentityModel.Tokens.

Direct dependencies are discoverable by reviewing your project.json or .proj file.

Transitive Dependencies

Transitive dependencies occur when you add a package to your project that in turn relies on another package.

Transitive dependencies are reviewable in the Microsoft Visual Studio Solution Explorer window, which also supports search, or by reviewing the project.lock.json file contained in the root directory of your project. This file contains the authoritative list of packages for your project.

How do I fix my affected app?

You will need to fix both direct dependencies and review and fix any transitive dependencies. Version 5.1.1 of the vulnerable package contains the fixes required to secure your app.

Fixing .NET Framework Project Dependencies

  • Option 1: Update your Visual Studio project packages using NuGet, recompile your application, and deploy

    1. Open your solution in Visual Studio.
    2. In Solution Explorer, right-click the References node and then click Manage NuGet Packages.
    3. Select the Updates tab. A list of packages with updates appears in the center pane.
    4. Select the Microsoft.IdentityModel.Tokens package and then click Update.
    5. Compile and deploy your application.

    For more information about managing NuGet Packages using the NuGet dialog, see Managing NuGet Packages Using the Dialog.

  • Option 2: Update your Visual Studio project packages using the Package Manager Console UI, recompile your application, and deploy

    1. Open your solution in Visual Studio.
    2. Click the Tools menu, select Library Package Manager, and then click Package Manager Console.
    3. In the package manager window, enter Update-Package Microsoft.IdentityModel.Tokens.
    4. Compile and deploy your application.

    For more information about using the Package Manager Console, see Using the Package Manager Console.

Fixing .NET Core Project Dependencies

.NET Core Project Direct Dependencies

To fix direct dependencies:

  1. Open your project.json file in your editor. Look for the dependencies section. The following provides an example section:

         "dependencies": {
           "Microsoft.IdentityModel.Tokens": "5.1.0",
         }
    

    In this example, Microsoft.IdentityModel.Tokens is a direct dependency. Update its version to 5.1.1 to download a version of this package that isn’t affected. After updating the package version, save your project.json file. The dependencies section in our example project.json file would now appear as follows:

         "dependencies": {
           "Microsoft.IdentityModel.Tokens": "5.1.1",
         }
    

    If you are using Visual Studio and save your updated project.json file, the new version will be restored by Visual Studio. You can see the restore results by opening the Output Window (Ctrl+Alt+O), and then changing the Show output from drop-down list to Package Manager.

    If you are not using Visual Studio, open a command line and change to your project directory. Execute the dotnet restore command to restore your new dependencies.

  2. After you have addressed all of your direct dependencies, you are ready to review your transitive dependencies.

.NET Core Project Transitive Dependencies

Reviewing Transitive Dependencies

There are two ways to view transitive dependencies: Use Visual Studio Solution Explorer, or review your project.lock.json file.

Using Visual Studio Solution Explorer

If you want to use Solution Explorer, open your project in Visual Studio, and then press Ctrl+; to activate the search in Solution Explorer. Search for the package name Microsoft.IdentityModel.Tokens. If results are found and the version is 5.1.0, your project takes a transitive dependency on Microsoft.IdentityModel.Tokens.

Fixing .NET Core Project Transitive Dependencies

If you have not found Microsoft.IdentityModel.Tokens, then either none of your dependencies in turn depend on the vulnerable package, or you have already fixed the problem by updating the direct dependencies.

If your transitive dependency review has shown that you use the vulnerable package, then you must add a direct dependency to an updated version of each vulnerable package to your project.json file to override the transitive dependency. Open your project.json file and find the dependencies section. For example:


    "dependencies": {
      "VulnerablePackage": "1.0.0-*"
    }

The results of the transitive package search show that a package your app uses depends on Microsoft.IdentityModel.Tokens version 5.1.0. To fix this example, you must add a direct dependency by adding it to the project.json file. You can do this by adding a new line to the dependencies section that refers to the fixed version. Edit the project.json file as follows:


     "dependencies": {
       "Microsoft.IdentityModel.Tokens": "5.1.1",
       "VulnerablePackage": "1.0.0-*"
     }

After adding direct dependencies to the fixed packages, save your project. json file.

If you are using Visual Studio, saving the updated project.json file stores the new versions in Visual Studio. To see the restore results, open the Output Window (Ctrl+Alt+O) and change the Show output from drop-down list to Package Manager.

If you are not using Visual Studio, open a command line and change to your project directory. Execute the dotnet restore command to restore your new dependencies.

You may want to check for transitive dependencies again to ensure that you have fixed all of them.

Rebuilding Your App

Finally, rebuild your app, test it as you normally would, and then redeploy it using your favored deployment mechanism.

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (January 10, 2017): Advisory published.

Page generated 2017-01-04 15:30-08:00.