A handful of vulnerabilities have been identified in WSO2 Identity Server that could lead to takeover, firewall bypass, and potentially expose subsequent internal servers to further attacks.
The open source server software helps developers manage identities and keep track of web apps, services and APIs.
Researchers at SEC Consult, a vulnerability lab headquartered in Austria, discovered the critical bugs in version 5.0.0 of the software in February and disclosed them on Wednesday.
A reflected cross-site scripting (XSS) vulnerability in the server could result in the takeover of a victim’s session, while a cross-site request forgery (CSRF) vulnerability, at least on one web page in the servers’ admin web interface, could grant the attacker the ability to add arbitrary users to the server.
The XSS issue could be triggered if an attacker lured a victim who was logged into Identity Server to either click through a link or in the instance of the CSRF vulnerability, navigate to a page that contains a manipulated <img> tag.
A third issue, technically referred to as a XML external entity injection vulnerability, involves the server’s SAML authentication interface, and could be exploited to inject arbitrary external XML entities.
“Since the XML entity resolver allows remote URLs, this vulnerability may allow to bypass firewall rules and conduct further attacks on internal hosts,” reads SEC’s vulnerability advisory.
According to proof of concept code published by SEC, an attacker can send a request to a vulnerable Windows server and have it return the contents of the C: drive, allowing the attacker to read arbitrary local files.
SEC points out that while its researchers only conducted a “very quick and narrow check” on the Identity Server platform, it’s possible there could be similar vulnerabilities in other products, in addition to more critical vulnerabilities in Identity Server itself.
According to Prabath Siriwardena, WSO2’s Director of Security Architecture however, all of the issues SEC brought to its attention were fixed and all WSO2 customers were patched in advance of the public disclosure. Siriwardena insists that no WSO2 customers were affected by the vulnerabilities.
The software development company deployed two patches, WSO2-CARBON-PATCH-4.2.0-1194, and WSO2-CARBON-PATCH-4.2.0-1095, for Identity Server in tandem with SEC Consult’s disclosure on Wednesday. As there’s no known workaround, both parties are encouraging users to apply the patches to bring the software fully up to date.