Security Advisory WSO2-2021-1509
- Former user (Deleted)
Published: 8th March 2022
Version: 1.0.0
Severity: High
CVSS Score: 8.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L)
AFFECTED PRODUCTS
WSO2 API Manager : 4.0.0 , 3.2.0 , 3.1.0 , 3.0.0
WSO2 Identity Server : 5.11.0 , 5.10.0 , 5.9.0
WSO2 IS as Key Manager : 5.11.0 , 5.10.0 , 5.9.0
WSO2 IoT Server : 3.3.1
WSO2 Micro Integrator : 1.1.0 , 1.2.0
OVERVIEW
Intermediate Certificate Validation is skipped for SCIM2 endpoints by default Authorization bypass due to improper default configuration of Intermediate Certificate Validation on SCIM2 endpoints.
DESCRIPTION
Due to the default configuration in WSO2 products, Intermediate Certificate Validation [1] is skipped for SCIM2 endpoints. When a valid CA signed certificate is used in invocations, it could be used to access resources irrespective of the privileges of the user.
IMPACT
In order to exploit this vulnerability, a malicious actor must have the private key of the Root CA, or a valid certificate signed by the Root CA and the associated private key. If such can be obtained, by leveraging this vulnerability, a malicious actor may invoke the SCIM2 endpoints. Such access could expose user information, and could cause confidentiality, integrity and availability impacts to targeted user records.
SOLUTION
The recommended solution is to apply the following configuration that needs to be added into <Product_Home>/repository/conf/deployment.toml file under the [intermediate_cert_validation] tag.
exempt_contexts=[]
Please note Intermediate certificate validation is skipped for SCIM2 endpoints by default. So you need to remove the default exempted SCIM2 context to overcome the vulnerability with the above configuration. Therefore if there is no explicit requirement, make exempt_contexts empty as shown above.