||
Skip to end of metadata
Go to start of metadata

Published: 9th December 2020

Version: 1.0.0

WSO2 Identity Server and WSO2 IS as Key Manager
Severity: Critical
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

WSO2 API Manager
Severity: Medium
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)


AFFECTED PRODUCTS

WSO2 API Manager : 3.2.0 or earlier
WSO2 IS as Key Manager : 5.10.0 or earlier
WSO2 Identity Server : 5.10.0 or earlier


OVERVIEW

A potential default credential usage is identified


DESCRIPTION

It is not instructed from the product documentation to change the default credential used by the out-of-the-box web applications to authenticate with Product's REST APIs that are marked as secure under the 'ResourceAccessControl' tag of identity.xml file. Therefore, the default credential could still be available in a running deployment.


IMPACT

Product REST APIs' client authentication mechanism is currently undocumented. Therefore, even if the default credential might be revealed via the configuration files, an attacker has to analyze the source code in order to identify how to use those and authenticate to the REST APIs. Furthermore, the risk is greatly reduced if these APIs are not exposed publicly.

If an attacker manages to exploit this, WSO2 Identity Server and WSO2 IS as Key Manager versions (listed under 'Affected Product Versions') could have a critical impact in the worst-case scenario, because those products expose the SCIM API that can be used for managing the end users.

In contrast, WSO2 API Manager versions have only a medium impact because those do not expose critical product level REST APIs that accept the affected credential.

Follow the below steps to check whether the vulnerability is exploited or not.

  • Analyze the access logs of the load balancers or any intermediary component used for routing traffic to the WSO2 servers.
  • Pay attention to the '/api/', '/scim2/' patterns and identify the IPs of the clients that accessed the protected resources.
  • Verify those IPs are known ones. To confirm the IPs are trusted, you may have to correlate those IPs with historical data.
  • If untrusted IPs are found, check the status codes of above requests to make sure that 200, 201 are not found. If you identify such successful requests, analyze all API resources that particular user tried out. This can be done by checking the actions performed in audit.log of WSO2 servers within the timeframe of such requests.


SOLUTION

If you are using one of the following product versions,

WSO2 API Manager: 2.6.0, 2.5.0, 2.2.0
WSO2 IS as Key Manager: 5.7.0, 5.6.0, 5.5.0, 5.3.0
WSO2 Identity Server: 5.8.0, 5.7.0, 5.6.0, 5.5.0, 5.4.1, 5.4.0, 5.3.0

1. Shutdown the server, if you have already started.

2. Add following configuration changes to secure your deployment from this vulnerability.

2.1. (This step is not applicable for WSO2 API Manager.) If 'RecoveryEndpointConfig.properties' file does not exist in '<PRODUCT_HOME>/repository/ conf/identity' directory,

Get a copy of the 'RecoveryEndpointConfig.properties' file located in the '<PRODUCT_HOME>/repository/deployment/server/webapps/accountrecoveryendpoint/ WEB-INF/classes' directory and add it to the '<PRODUCT_HOME>/repository/conf/identity' directory. Update the value of 'app.password' property to a preferred password in the 'RecoveryEndpointConfig.properties' file in '<PRODUCT_HOME>/repository/conf/identity directory

                                                                  app.password=<Preferred Password>


Note (Only applicable if the 'accountrecoveryendpoint' webapp is hosted outside of the product): Do the above changes to the 'app.password' property in the 'RecoveryEndpointConfig.properties' file found in the root of the 'accountrecoveryendpoint' folder and “RecoveryEndpointConfig.properties” file located in the "/WEB-INF/classes" directory.


2.2. Go to <PRODUCT_HOME>/repository/conf/identity/EndpointConfig.properties and check if 'app.password' property is available. If it is available, please follow the below instructions:

If you had to follow step 2.1, update the value of 'app.password' property to the same preferred password used in that step. If that step was not applicable, you may use any preferred password.

app.password=<Preferred Password>

Note (Only applicable if the 'authenticationendpoint' webapp is hosted outside of the product): If 'app.password' property is available in the 'EndpointConfig.properties' file found in the root of the 'authenticationendpoint' folder and “EndpointConfig.properties” file located in the "/WEB-INF/classes" directory, then do the above changes.


2.3. Go to <PRODUCT_HOME>/repository/conf/identity/identity.xml

If steps 2.1 or/and 2.2 was applicable for your product, update the “hash” value of the Application name "dashboard" under the ClientAppAuthentication tag to the SHA-256 hash of the same preferred password used in those steps. If neither of those steps were applicable, you may use the SHA-256 hash of any preferred password.

<ClientAppAuthentication>

<Application name="dashboard" hash="<SHA-256 hash of the

newly added app.password property value>"/>

</ClientAppAuthentication>

3. Once above configuration changes are completed, restart the server with :

Linux/Unix : sh wso2server.sh

Windows : wso2server.bat


If you are using one of the following product versions,

WSO2 API Manager: 3.0.0, 3.1.0, 3.2.0
WSO2 IS as Key Manager: 5.9.0, 5.10.0
WSO2 Identity Server: 5.9.0, 5.10.0


1. Apply relevent configuration changes and new configuration files as per the public fix: https://github.com/wso2/carbon-identity-framework/pull/3076/files, https://github.com/wso2/carbon-identity-framework/pull/3096/files

2. Shutdown the server, if you have already started.

3. Add the following configuration changes to <PRODUCT_HOME>/repository/conf/deployment.toml file.

3.1. Add the 'app_password' property value of '[identity.auth_framework.endpoint]' to a preferred password.

                  [identity.auth_framework.endpoint]

                 app_password="<value of preferred password>"


3.2. Add SHA-256 hash value of the added 'app_password' property value to the 'hash' property value of '[account_recovery.endpoint.auth]'.

        [account_recovery.endpoint.auth]

       hash="<SHA-256 hash of the newly added app_password property value>"


If the 'authenticationendpoint' web app is hosted externally. Open the 'EndpointConfig.properties' file found in the root of the 'authenticationendpoint' folder. Change the 'app.password' property value to the value added as 'app_password' in the 'deployment.toml' file. And do the same changes to the 'EndpointConfig.properties' file located in the "/WEB-INF/classes" directory.

If the 'accountrecoveryendpoint' web app is hosted externally. Open the 'RecoveryEndpointConfig. properties' file found in the root of the 'accountrecoveryendpoint' folder. Change the 'app.password' property value to the value added as 'app_password' in the 'deployment.toml' file. And do the same changes to the “RecoveryEndpointConfig.properties” file located in the "/WEB-INF/classes" directory.

4. Once above configuration changes are completed, restart the server with :

Linux/Unix : sh wso2server.sh

Windows : wso2server.bat

Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Update Manager (WUM) updates in order to apply the fix.


  • No labels