Security Advisory WSO2-2016-0104

Published: August 12, 2016


OVERVIEW

The following four scenarios were found to be vulnerable to XML Signature Wrapping (XSW) attacks, in the WSO2 platform:

  1. Jaggery-based applications in the WSO2 product stack (e.g: API Store, API Publisher, App Store) are found to be vulnerable only when SAML 2.0 based Single Sign On (SSO) is enabled.
  2. The OAuth SAML 2.0 bearer grant type implementation ships with WSO2 Identity Server and WSO2 API Manager.
  3. SAML 2.0 federated authenticator in WSO2 Identity Server, which is used to connect to external identity providers.
  4. The SAML 2.0 web agent, which is used to enforce SSO for web apps deployed in WSO2 Application Server.

All of the above attacks can only be executed by a valid, legitimate user in the system. The attacker would exploit this vulnerability either to impersonate another user or to escalate his own privileges in the system.

If you have enabled SAML 2.0 based SSO for Management Consoles of any of the WSO2 products with the default configuration settings (response signing enabled), the access to the Management Console is NOT vulnerable to the XSW attacks.

None of the external applications (e.g: Google Apps, Salesforce) using WSO2 Identity Server as the SAML 2.0 or WS-Federation Identity Provider are vulnerable to this attack.

DESCRIPTION

In order to preserve the integrity of the SAML assertion and response sent by the SAML Identity Provider to the Service Provider (relying party), XML signatures are used. The relying party can validate the signature of the assertion and response for ensuring that the original message is not altered. In XML Signature Wrapping attacks, the structure of the message is altered such that the relying party can be tricked when it parses the XML message.

The attacker should possess a valid SAML token in hand for wrapping the signature and forwarding it to the relying party. Therefore, the attacker must be an internal user of the organization who already possesses a valid user account in the system.

IMPACT

Through a successful exploit of the vulnerability, the attacker would be able to impersonate a user and gain access to the SAML SSO consumer applications that the victim is authorized.

However, the attack would only be possible where the WSO2 products act as the SAML consumer (e.g. API Manager Store/Publisher, Identity Server Dashboard). Other SAML relying party websites/applications that use WSO2 Identity Server as an Identity Provider have no impact from this attack.

SOLUTION

After applying the below patches, WSO2 products correctly validate SAML responses and assertions in SAML consumer applications and avoid possible XML Signature Wrapping (XSW) attacks.

Apply the following patches based on your products by following the instructions in the README file.

Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.

Code Product Version Patch
APIM WSO2 API Manager 2.0.0 WSO2-CARBON-PATCH-4.4.0-0327
WSO2-CARBON-PATCH-4.4.0-0365
WSO2-CARBON-PATCH-4.4.0-0366
APIM Analytics WSO2 API Manager Analytics 2.0.0 WSO2-CARBON-PATCH-4.4.0-0366
APPM WSO2 App Manager 1.2.0 WSO2-CARBON-PATCH-4.4.0-0326
WSO2-CARBON-PATCH-4.4.0-0327
WSO2-CARBON-PATCH-4.4.0-0365
WSO2-CARBON-PATCH-4.4.0-0339
APPM WSO2 App Manager 1.2.0 WSO2-CARBON-PATCH-4.4.0-0326
WSO2-CARBON-PATCH-4.4.0-0327
WSO2-CARBON-PATCH-4.4.0-0365
WSO2-CARBON-PATCH-4.4.0-0339
AS WSO2 Application Server 5.3.0 WSO2-CARBON-PATCH-4.4.0-0354
WSO2-CARBON-PATCH-4.4.0-0347
BPS WSO2 Business Process Server 3.5.1 WSO2-CARBON-PATCH-4.4.0-0352
BRS WSO2 Business Rules Server 2.2.0 WSO2-CARBON-PATCH-4.4.0-0329
CEP WSO2 Complex Event Processor 4.1.0 WSO2-CARBON-PATCH-4.4.0-0329
DAS WSO2 Data Analytics Server 3.0.1 WSO2-CARBON-PATCH-4.4.0-0329
WSO2-CARBON-PATCH-4.4.0-0348
DS WSO2 Dashboard Server 2.0.0 WSO2-CARBON-PATCH-4.4.0-0329
DSS WSO2 Data Services Server 3.5.0 WSO2-CARBON-PATCH-4.4.0-0353
EMM WSO2 Enterprise Mobility Manager 2.0.1 WSO2-CARBON-PATCH-4.4.0-0329
IS WSO2 Identity Server 5.1.0 WSO2-CARBON-PATCH-4.4.0-0329
MB WSO2 Message Broker 3.1.0 WSO2-CARBON-PATCH-4.4.0-0353
ML WSO2 Machine Learner 1.1.0 WSO2-CARBON-PATCH-4.4.0-0353

Info

If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.