14 DAY TRIAL // Multiple critical vulnerabilities have been uncovered in the WSO2 Identity Server product, which could be leveraged by a threat actor to compromise the session or help them bypass firewall protection and run attacks on the internal hosts.
WSO2 Identity Server is an authentication management tool designed for web applications, services and APIs. It can handle multiple identities and includes support for different standards.
Session hijacking, new users added to the server
Austria-based vulnerability lab SEC Consult found and reported the flaws privately in February, coordinating the disclosure with the vendor for this month.
Details for three vulnerabilities were published in a security advisory on Wednesday, and each of them is accompanied by proof-of-concept code.
SEC Consult says that version 5.0.0 of WSO2 Identity Server is vulnerable to a reflected cross-site scripting (XSS) glitch that could offer a third party the possibility to take over a victim’s session.
For this, the victim has to be logged into the Identity Server web-based administration console and tricked into clicking on a link specially created by the attacker.
Another issue brought to light by the researchers is lack of protection against cross-site request forgery (CSRF) attacks on at least one page. Once more, to exploit the issue, the victim needs to be authenticated.
Luring someone to click on a certain link is not a difficult task, especially in the case of a motivated attacker; the consequence in this case would be the addition of new users to the server.
Attacker could bypass firewall rules, access internal hosts
A third vulnerability is an XML external entity injection, which could lead to exposing local files on the server to an authenticated third party.
In the security advisory, the researchers draw attention to the fact that “since the XML entity resolver allows remote URLs, this vulnerability may allow to bypass firewall rules and conduct further attacks on internal hosts.”
Mitigation of the risks can be achieved by updating WSO2 Identity Server with the fixes (1194 and 1095) provided by the developer.
Proof-of-concept code for each of the three problems identified has been published by SEC Consult, placing urgency on applying the available patches.