Security Advisory WSO2-2020-0864

Published: December 09, 2020

Version: 1.0.0

WSO2 Identity Server and WSO2 IS as Key Manager

Severity: Critical

CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

WSO2 API Manager

Severity: Medium

CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

AFFECTED PRODUCTS

  • WSO2 API Manager : 3.2.0 or earlier
  • WSO2 IS as Key Manager : 5.10.0 or earlier
  • WSO2 Identity Server : 5.10.0 or earlier

OVERVIEW

A potential default credential usage is identified

DESCRIPTION

It is not instructed from the product documentation to change the default credential used by the out-of-the-box web applications to authenticate with the product's REST APIs that are marked as secure under the ResourceAccessControl tag of identity.xml file. Therefore, the default credential could still be available in a running deployment.

IMPACT

Product REST APIs' client authentication mechanism is currently undocumented. Therefore, even if the default credential might be revealed via the configuration files, an attacker has to analyze the source code in order to identify how to use those and authenticate to the REST APIs. Furthermore, the risk is greatly reduced if these APIs are not exposed publicly.

If an attacker manages to exploit this, WSO2 Identity Server and WSO2 IS as Key Manager versions (listed under Affected Product Versions) could have a critical impact in the worst-case scenario, because those products expose the SCIM API that can be used for managing the end users.

In contrast, WSO2 API Manager versions have only a medium impact because they do not expose critical product-level REST APIs that accept the affected credential.

Follow the below steps to check whether the vulnerability is exploited or not.

  • Analyze the access logs of the load balancers or any intermediary component used for routing traffic to the WSO2 servers.
  • Pay attention to the /api/, /scim2/ patterns and identify the IPs of the clients that accessed the protected resources.
  • Verify those IPs are known ones. To confirm the IPs are trusted, you may have to correlate those IPs with historical data.
  • If untrusted IPs are found, check the status codes of the above requests to make sure that 200, 201 are not found. If you identify such successful requests, analyze all API resources that particular user tried out. This can be done by checking the actions performed in audit.log of WSO2 servers within the timeframe of such requests.

SOLUTION

If you are using one of the following product versions,

  • WSO2 API Manager: 2.6.0, 2.5.0, 2.2.0
  • WSO2 IS as Key Manager: 5.7.0, 5.6.0, 5.5.0, 5.3.0
  • WSO2 Identity Server: 5.8.0, 5.7.0, 5.6.0, 5.5.0, 5.4.1, 5.4.0, 5.3.0

Then,

  1. Shut down the server, if you have already started.

  2. Add following configuration changes to secure your deployment from this vulnerability.

    1. (This step is not applicable for WSO2 API Manager.) If RecoveryEndpointConfig.properties file does not exist in <PRODUCT_HOME>/repository/conf/identity directory,

      Get a copy of the RecoveryEndpointConfig.properties file located in the <PRODUCT_HOME>/repository/deployment/server/webapps/accountrecoveryendpoint/ WEB-INF/classes directory and add it to the <PRODUCT_HOME>/repository/conf/identity directory. Update the value of app.password property to a preferred password in the RecoveryEndpointConfig.properties file in <PRODUCT_HOME>/repository/conf/identity directory.

      app.password="<preferred_password>"

      Info

      (Only applicable if the 'accountrecoveryendpoint' webapp is hosted outside of the product): Do the above changes to the app.password property in the RecoveryEndpointConfig.properties file found in the root of the accountrecoveryendpoint folder and RecoveryEndpointConfig.properties file located in the /WEB-INF/classes directory.

    2. Go to <PRODUCT_HOME>/repository/conf/identity/EndpointConfig.properties and check if app.password property is available. If it is available, follow the below instructions:

      If you had to follow step 2.1, update the value of app.password property to the same preferred password used in that step. If that step was not applicable, you may use any preferred password.

      app.password="<preferred_password>"

      Info

      (Only applicable if the authenticationendpoint webapp is hosted outside of the product): If app.password property is available in the EndpointConfig.properties file found in the root of the authenticationendpoint folder and EndpointConfig.properties file located in the /WEB-INF/classes directory, then do the above changes.

    3. Go to <PRODUCT_HOM>/repository/conf/identity/identity.xml

      If steps 2.1 or/and 2.2 was applicable for your product, update the hash value of the Application name dashboard under the ClientAppAuthentication tag to the SHA-256 hash of the same preferred password used in those steps. If neither of those steps were applicable, you may use the SHA-256 hash of any preferred password.

      <ClientAppAuthentication>
    <Application name="dashboard" hash="<SHA-256 hash of the newly added app.password property value>"/>
</ClientAppAuthentication>

  3. Once the above configuration changes are completed, restart the server with :

    Linux/Unix 

    sh wso2server.sh

    Windows : 

    wso2server.bat

If you are using one of the following product versions,

  • WSO2 API Manager: 3.0.0, 3.1.0, 3.2.0
  • WSO2 IS as Key Manager: 5.9.0, 5.10.0
  • WSO2 Identity Server: 5.9.0, 5.10.0

Then,

  1. Apply relevant configuration changes and new configuration files as per the public fix:

    • https://github.com/wso2/carbon-identity-framework/pull/3076/files
    • https://github.com/wso2/carbon-identity-framework/pull/3096/files

  2. Shut down the server, if you have already started.

  3. Add the following configuration changes to <PRODUCT_HOME>/repository/conf/deployment.toml file.

    1. Add the app_password property value of [identity.auth_framework.endpoint] to a preferred password.

      [identity.auth_framework.endpoint]
app_password="<value_of_preferred_password>"

    2. Add SHA-256 hash value of the added app_password property value to the hash property value of [account_recovery.endpoint.auth]. 

      [account_recovery.endpoint.auth]
hash="<SHA-256 hash of the newly added app_password property value>"

      If the authenticationendpoint web app is hosted externally. Open the EndpointConfig.properties file found in the root of the authenticationendpoint folder. Change the app.password property value to the value added as app_password in the deployment.toml file. And do the same changes to the EndpointConfig.properties file located in the /WEB-INF/classes directory.

      If the accountrecoveryendpoint web app is hosted externally. Open the RecoveryEndpointConfig.properties file found in the root of the accountrecoveryendpoint folder. Change the app.password property value to the value added as app_password in the deployment.toml file. And do the same changes to the RecoveryEndpointConfig.properties file located in the /WEB-INF/classes directory.

  4. Once above configuration changes are completed, restart the server with :

    Linux/Unix 

    sh wso2server.sh

    Windows : 

    wso2server.bat

Info

If you are a WSO2 customer with a support subscription, use WSO2 Update Manager(WUM) updates in order to apply the fix to the affected versions.