Researchers at SEC Consult have identified some serious flaws in WSO2 Identity Server. The vendor has released patches to address the security bugs.
WSO2 Identity Server, developed by Mountain View, CA-based enterprise middleware company WSO2, is a security and identity management solution for enterprise web applications, services, and APIs.
SEC Consult experts analyzed WSO2 Identity Server and determined that the product is affected by cross-site scripting (XSS), cross-site request forgery (CSRF), and XML external entity injection (XXE) vulnerabilities.
According to an advisory published by the Austria-based application security services firm on Wednesday, the reflected XSS bug can be exploited by a remote attacker to hijack users’ sessions. For the attack to work, the attacker must convince a user that is logged in to the WSO2 Identity Server admin interface to click on specially crafted link.
The CSRF bug can be exploited by an attacker to add new users to Identity Server. Exploiting this vulnerability, caused by the lack of CSRF protection, also requires user interaction.
The third vulnerability identified and reported by SEC Consult is an XXE flaw that can be exploited to inject external XML entities through the SAML authentication interface. A malicious actor can leverage the bug to read local files, and possibly even bypass firewall rules and conduct further attacks on internal servers.
“WSO2 Identity Server 5.0.0 is vulnerable to XML External Entity (XEE) attack in the federated SAML2 SSO authentication flow which can be carried out by modifying the SAMLRequest or SAMLResponse parameters,” WSO2 wrote in its own advisory. “This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.”
SEC Consult has published proof-of-concept code for each of the security holes.
The vulnerabilities, rated “critical” by WSO2, were reported in mid-March and addressed on Wednesday with the following patches: WSO2-CARBON-PATCH-4.2.0-1256 and WSO2-CARBON-PATCH-4.2.0-1194. WSO2 advises customers to install IS 5.0.0 Service Pack 1 before applying the patches.
WSO2’s advisory states that the vulnerabilities affect Identity Server 5.0.0, but SEC Consult believes that these or similar security bugs might affect other WSO2 products that are based on the WSO2 Carbon framework.
“SEC Consult only conducted a very quick and narrow check on the WSO2 Identity Server. Since in this check a critical vulnerability was found, SEC Consult suspects that the Identity Server contains even more critical vulnerabilities,” SEC Consult said in its advisory. “SEC Consult recommends to not use any products based on the WSO2 Carbon Framework until a thorough security review has been conducted.”