Security Advisory WSO2-2018-0462

Published: September 03, 2018

Version: 1.0.0

Severity: Medium

CVSS Score: 9.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)


AFFECTED PRODUCTS

  • WSO2 Identity Server : 5.4.0 , 5.4.1 , 5.5.0 , 5.6.0
  • WSO2 Identity Server as Key Manager : 5.5.0 , 5.6.0
  • WSO2 Identity Server : 5.3.0 - Only if SCIM 2.0 Inbound Provisioning Connector is installed.
  • WSO2 Identity Server as Key Manager : 5.3.0 - Only if SCIM 2.0 Inbound Provisioning Connector is installed

OVERVIEW

An authentication and authorization bypass vulnerability has been detected in SCIM 2.0 API.

DESCRIPTION

If the /scim2 endpoint of WSO2 Identity Server is exposed to the public, an attacker would be able to bypass the authentication and authorization of SCIM 2.0 API and execute the operations in the API.

IMPACT

By exploiting the vulnerability, an attacker would be able to get a user account created with a higher level of permissions bound to it and perform the actions in the system that the particular user account is permitted to.

SOLUTION

The recommended solution is to modify the following configuration under the <ResourceAccessControl> element in IS_HOME/repository/conf/identity/identity.xml file and restart the server. Find the existing configuration and replace each entry with the new configuration.

Existing Configuration New Configuration
<Resource context="(.*)/api/identity/user/v1.0/validate-code" secured="true" http-method="all"/> <Resource context="(.*)/api/identity/user/v1.0/validate-code(.*)" secured="true" http-method="all"/>
<Resource context="(.*)/api/identity/user/v1.0/resend-code" secured="true" http-method="all"/> <Resource context="(.*)/api/identity/user/v1.0/resend-code(.*)" secured="true" http-method="all"/>
<Resource context="(.*)/api/identity/user/v1.0/me" secured="true" http-method="POST"/> <Resource context="(.*)/api/identity/user/v1.0/me(.*)" secured="true" http-method="POST"/>
<Resource context="(.*)/api/identity/user/v1.0/me" secured="true" http-method="GET"/> <Resource context="(.*)/api/identity/user/v1.0/me(.*)" secured="true" http-method="b"/>
<Resource context="(.*)/scim2/Users" secured="true" http-method="POST"> <Resource context="(.*)/scim2/Users(.*)" secured="true" http-method="POST">
<Resource context="(.*)/scim2/Groups" secured="true" http-method="POST"> <Resource context="(.*)/scim2/Groups(.*)" secured="true" http-method="POST">
<Resource context="/scim2/Bulk" secured="true" http-method="all"> <Resource context="/scim2/Bulk(.*)" secured="true" http-method="all">
<Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/pii-categories" secured=" true" http-method="POST"> <Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/pii-categories(.*)" secured=" true" http-method="POST">
<Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purposes" secured="true" http-method="POST"> <Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purposes(.*)" secured="true" http-method="POST">
<Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purpose-categories" secured="true" http-method="POST"> <Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purpose-categories(.*)" secured="true" http-method="POST">

Info

If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.