Micro Focus Fortify Software Security Content Critical Advisory Support - August 2019

Super Contributor.
Super Contributor.
0 0 1,233

Software Security Research Release Announcement

Micro Focus Fortify

Software Security Content

Critical Advisory Support

August 16, 2019

Fortify Software Security Research is pleased to announce the immediate availability of the following update to Fortify WebInspect SecureBase:

SAML Dupekey Injection (CVE-2019-1006)

This update includes a check to detect a critical authorization bypass vulnerability in Microsoft WCF, WIF 3.5 and later in .NET Framework, WIF 1.0 component in Windows, WIF Nuget package, and WIF implementation in SharePoint. The check is identified by ID 11612.

In order to use this check create a custom policy to run just this check, or add check ID 11612 to an existing policy, to include it in a scan. This vulnerability is also known as Dupe Key Confusion and is a type of XML Signature Verification Bypass that allows an attacker to insert an arbitrary signature into SAML token to gain unauthorized access to application, for privilege escalation and user impersonation. The vulnerability is identified by MITRE advisory CVE-2019-1006. It is recommended to upgrade vulnerable components to vendor recommended fix versions. Additional details about the vulnerability can be found in whitepaper released by the Micro Focus Software Security Research team at Blackhat 2019.

Contact Fortify Technical Support

Micro Focus Fortify
+1 (844) 260-7219

Contact SSR

Alexander M. Hoole
Manager, Software Security Research
Micro Focus Fortify
+1 (650) 258-5916


© Copyright 2019 Micro Focus, L.P. The information contained herein is subject to change without notice. The only warranties for Micro Focus products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein.

About the Author
Application Security, Penetration Testing, Security
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.