A major vulnerability in Sitevision CMS, variations 10.3.1 and earlier, has been recognized, permitting attackers to extract non-public keys used for signing SAML authentication requests.
The flaw, tracked as CVE-2022-35202, stems from the usage of a Java keystore accessible through WebDAV and guarded by an auto-generated, low-complexity password.
This vulnerability may probably allow attackers to compromise authentication processes in sure configurations.
Discovery of the Vulnerability
The difficulty was uncovered when a WebDAV occasion on a Sitevision web site uncovered a file named saml-keystore.
This file contained a Java keystore with each private and non-private keys for SAML authentication.
Whereas the keystore was password-protected, the password was auto-generated with weak complexity restricted to lowercase letters and digits, eight characters lengthy.
Utilizing instruments like JksPrivkPrepare.jar to extract the password hash and Hashcat for brute drive assaults, researchers efficiently cracked the password inside hours.
Exploitation and Impression
The extracted non-public key may theoretically be used to signal SAML authentication requests.
Nevertheless, additional evaluation revealed that these keys had been used particularly to signal SAML Authn requests, which provoke the SAML circulation between Service Suppliers (SP) and Identification Suppliers (IdP).
The vulnerability’s affect depends upon whether or not the IdP prioritizes signed Authn requests over pre-configured metadata.
An attacker exploiting this flaw may manipulate the AssertionConsumerServiceURL attribute within the Authn request to redirect authentication tokens to a malicious endpoint.
In accordance with Shelltrail, this might grant unauthorized entry to authenticated consumer classes underneath sure situations.
Sitevision addressed the vulnerability in model 10.3.2 by implementing stronger password complexity for auto-generated passwords.
Nevertheless, current installations stay weak until directors manually rotate passwords after upgrading.
The publicity of the saml-keystore file additionally depends upon particular WebDAV configurations, which aren’t default however frequent amongst Sitevision deployments.
The vulnerability was responsibly disclosed by researcher Andreas Vikerup in Might 2022.
Sitevision promptly launched a patch and notified affected prospects whereas coordinating with Sweden’s nationwide CERT crew (CERT-SE) as a result of important nature of providers counting on their CMS, together with authorities businesses.
This incident highlights the dangers of weak password insurance policies and improper configuration in broadly used techniques.
Organizations utilizing Sitevision CMS are urged to improve to model 10.3.2 or later and guarantee correct configuration of WebDAV entry controls whereas rotating passwords for delicate keystores.
Free Webinar: Higher SOC with Interactive Malware Sandbox for Incident Response, and Menace Searching - Register Right here
