SECURITY ADVISORY WSO2-2023-2617

Published: June 20, 2024

Version: 1.0.0

Severity: Critical

CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


AFFECTED PRODUCTS

  • WSO2 Identity Server 5.10.0, 5.11.0, 6.0.0, 6.1.0
  • WSO2 Identity Server as Key Manager 5.10.0
  • WSO2 API Manager 3.2.0, 4.0.0, 4.1.0, 4.2.0

OVERVIEW

A potential default credential usage is identified.

DESCRIPTION

WSO2 Products have a set of internal Management REST APIs which are used to communicate between backend components. By default, these APIs are protected by a default password which is embedded into product configuration. It is required to change this default password with a secure password to prevent any unauthorized external client invoking these management APIs. However, WSO2 API Manager product documentation does not contain instructions to change this default password. Therefore, the default credential could be actively used in running deployments which is a security risk.

Changing default credentials relevant to WSO2 Identity Server is already covered under the Security Guidelines for Production Deployment under Configure client authentication section. Hence, WSO2 Identity Server deployments are considered unaffected. However, it's recommended to verify if security guidelines are applied properly in production environments.

In addition, above mentioned products do not cover configuration changes to be done when Secure Vault is enabled (e.g., 12). Relevant instructions are also made available with this advisory.

IMPACT

The custom authentication mechanism used in an internal Product Management REST API is currently undocumented and would require some specific information for successful invocation. Therefore, a malicious actor has to analyze the source code in order to identify how to perform an API invocation by using these credentials.

The successful exploitation could allow a malicious actor to impersonate and authenticate as a different targeted user (including an administrator, given the username of the administrator user is known to the malicious actor), and perform other operations that could impact the security of the system.

We do not have any evidence as of now that suggests this vulnerability is being exploited. However, you may follow the below steps to confirm whether the vulnerability has been exploited:

  • Analyze the access logs of the load balancers or any intermediary component used for routing traffic to the WSO2 servers.
  • Look for invocations made to /api/ patterns and identify the IPs of the clients that accessed the protected resources.
  • Verify API invocations are from trusted IPs. To confirm, you may have to correlate with historical logs.
    • If untrusted IPs are found, check for whether there are successful attempts (HTTP response status codes such as 200, and 201). If you identify such requests, analyze all API resources that particular user tried out. This can be done by checking the actions performed in the audit.log of WSO2 servers within the timeframe of such requests.

SOLUTION

WSO2 Subscription holders may refer to the below table. You should update your product to the specified update level or a higher update level to apply the fix.

Product Name Product Version Update Level
WSO2 API Manager 4.2.0 No need to get the update. You can directly apply the recommanded configurations.
WSO2 API Manager 4.1.0 No need to get the update. You can directly apply the recommanded configurations.
WSO2 API Manager 4.0.0 No need to get the update. You can directly apply the recommanded configurations.
WSO2 API Manager 3.2.0 270
WSO2 Identity Server 6.1.0 No need to get the update. You can directly apply the recommanded configurations.
WSO2 Identity Server 6.0.0 No need to get the update. You can directly apply the recommanded configurations.
WSO2 Identity Server 5.11.0 No need to get the update. You can directly apply the recommanded configurations.
WSO2 Identity Server 5.10.0 225
WSO2 Identity Server as Key Manager 5.10.0 221

If you are an open-source user or using a product version that is EOL (End of License); You may migrate to the latest version of the product if the latest version is not listed under the affected products list.

Along with above code level fix/update, it is necessary to apply the below-given configurations according to the instructions provided, based on the relevant product.

Configuration Changes for WSO2 Identity Server

  • WSO2 Identity Server 5.11.0, 6.0.0, 6.1.0, 5.10.0
  • WSO2 Identity Server as Key Manager 5.10.0

Note

If you are not using Secure Vault 4, follow below steps to update the new password.

Following instructions are also already available in the Security Guidelines for Production Deployment documentation available at 4 5 6 7 . If you have already followed these instructions, the deployment is not vulnerable and no further action is required.

Please note that the instructions below assume that the new password is FjW8020nKEUdkzf. Please change the example value based on the password you choose.

  1. Stop the running WSO2 Product packs.
  2. Add the following configuration changes to the <PRODUCT_HOME>/repository/conf/deployment.toml file:

    1. Add the app_password property value of [identity.auth_framework.endpoint] to a preferred password. Please change the FjW8020nKEUdkzf example value to the new password.

      [identity.auth_framework.endpoint] 
      app_password="FjW8020nKEUdkzf"
      

    2. Add the SHA-256 hash value of the added app_password property value to the hash property value of [account_recovery.endpoint.auth]. a929a8027fdabf6b923a5ef1a0dd5034a97027083df2122588918d1fc90efd18 is the SHA-256 hash of the example password FjW8020nKEUdkzf. Please change the example value to the SHA-256 hash of the new password. toml [account_recovery.endpoint.auth] hash="a929a8027fdabf6b923a5ef1a0dd5034a97027083df2122588918d1fc90efd18"

    3. Please follow the below steps if you have hosted Authentication Endpoint and Account Recovery Endpoint web applications external to the deployment.

      • If the Authentication Endpoint web application is hosted externally, open the EndpointConfig.properties file found in the root of the authenticationendpoint folder. Change the app.password property value to the value added as app_password in the deployment.toml file. And do the same changes to the EndpointConfig.properties file located in the /WEB-INF/classes directory.

      • If the Account Recovery Endpoint web application is hosted externally, open the RecoveryEndpointConfig.properties file found in the root of the accountrecoveryendpoint folder. Change the app.password property value to the value added as app_password in the deployment.toml file. And do the same changes to the RecoveryEndpointConfig.properties file located in the /WEB-INF/classes directory.

  3. Once configuration changes are completed, start the WSO2 Product packs.

Note

If you are using SecureVault 3, follow below steps to update and encrypt the new password.

Please note that the instructions below assume that the new password is FjW8020nKEUdkzf. Please change the example value based on the password you choose.

  1. Stop the running WSO2 Product packs.
  2. Add the following property to the deployment.toml file. If the [identity.auth_framework.endpoint] property is already defined, update the value to $secret{dashboard_password}.
    [identity.auth_framework.endpoint]
    app_password="$secret{dashboard_password}"
    
  3. Add the dashboard_password property to the [secrets] block in the deployment.toml file. Please change the FjW8020nKEUdkzf example value to the new password.

    The [secrets] configuration section should be added at the very end of the deployment.toml file or else this will cause errors in server startup.

    [secrets]
    dashboard_password  = "[FjW8020nKEUdkzf]"
    
    4. Add the following property to the deployment.toml file. a929a8027fdabf6b923a5ef1a0dd5034a97027083df2122588918d1fc90efd18 is the SHA-256 hash of the example password FjW8020nKEUdkzf. Please change the example value to the SHA-256 hash of the new password.
    [account_recovery.endpoint.auth] 
    hash="a929a8027fdabf6b923a5ef1a0dd5034a97027083df2122588918d1fc90efd18"
    
    5. Navigate to <PRODUCT_HOME>/bin and execute

    ./ciphertool.sh -Dconfigure
    

    Once the above steps are complete, the secret should be encrypted in the deployment.toml file as follows (secret value will differ from the example value below).

    [secrets]
    dashboard_password = "X+UWvPXSnrWCjQ1uj0a/5pqY9WP33leJJZofGHtf7VwG9v1ebj4PJ0P4K8X1hNDfPLIFeGSYjdeo4+4uECeDt898rzQGuy7FHy4UZW1X/xxpuc62WlrWYChfQNNmyCU0yDA9G2M232kR81kcU06FjkTX6oRE5lNxADQ/7KpMVDIuxl/09cR4hLp8b1O8obLfLcDw0J7Obd/3VYpQ9ITiPyRuFhN1+A8KzmKllld+bHYIFsCaEq2HorzjfbvYTevhL3ppPHKWbPOSZwhG0Yq0qiK3SuOk9o+/V2Yukxp7EKOh33DeSiB4u/quJm1lbvvWt3LylmzZ83oc5Ie2jb8riA=="
    

  4. Once configuration changes are completed, start the WSO2 Product packs.

Configuration Changes for WSO2 API Manager

  • WSO2 API Manager 4.0.0, 4.1.0, 4.2.0, 3.2.0

Please note that the instructions below assume that the new password is FjW8020nKEUdkzf. Please change the example value based on the password you choose.

Note

If you are not using Secure Vault 3, follow below steps to update the new password.

  1. Stop the running WSO2 Product packs.

  2. Add the following configuration changes to the <PRODUCT_HOME>/repository/conf/deployment.toml file:

    • Add the app_password property value of [identity.auth_framework.endpoint] to a preferred password. Please change the FjW8020nKEUdkzf example value to the new password.
      [identity.auth_framework.endpoint] 
      app_password="FjW8020nKEUdkzf"
      
    • Add the SHA-256 hash value of the added app_password property value to the hash property value of [account_recovery.endpoint.auth]. a929a8027fdabf6b923a5ef1a0dd5034a97027083df2122588918d1fc90efd18 is the SHA-256 hash of the example password FjW8020nKEUdkzf. Please change the example value to the SHA-256 hash of the new password.
      [account_recovery.endpoint.auth] 
      hash="a929a8027fdabf6b923a5ef1a0dd5034a97027083df2122588918d1fc90efd18"
      

Please follow the below steps if you have hosted Authentication Endpoint and Account Recovery Endpoint web applications external to the deployment.

  • If the Authentication Endpoint web application is hosted externally, open the EndpointConfig.properties file found in the root of the authenticationendpoint folder. Change the app.password property value to the value added as app_password in the deployment.toml file. And do the same changes to the EndpointConfig.properties file located in the /WEB-INF/classes directory.

  • If the Account Recovery Endpoint web application is hosted externally, open the RecoveryEndpointConfig.properties file found in the root of the accountrecoveryendpoint folder. Change the app.password property value to the value added as app_password in the deployment.toml file. And do the same changes to the RecoveryEndpointConfig.properties file located in the /WEB-INF/classes directory.

  • Once configuration changes are completed, start the WSO2 Product packs.

Note

If you are using SecureVault 3, follow below steps to update and encrypt the new password.

Please note that the instructions below assume that the new password is FjW8020nKEUdkzf. Please change the example value based on the password you choose.

  1. Stop the running WSO2 Product packs.
  2. Add the following property to the deployment.toml file. If the [identity.auth_framework.endpoint] property is already defined, update the value to $secret{dashboard_password}.
    [identity.auth_framework.endpoint]
    app_password="$secret{dashboard_password}"
    
  3. Add the dashboard_password property to the [secrets] block in the deployment.toml file. Please change the FjW8020nKEUdkzf example value to the new password.

    The [secrets] configuration section should be added at the very end of the deployment.toml file or else this will cause errors in server startup.

    [secrets]
    dashboard_password  = "[FjW8020nKEUdkzf]"
    
    4. Add the following property to the deployment.toml file. a929a8027fdabf6b923a5ef1a0dd5034a97027083df2122588918d1fc90efd18 is the SHA-256 hash of the example password FjW8020nKEUdkz. Please change the example value to the SHA-256 hash of the new password.

    [account_recovery.endpoint.auth] 
    hash="a929a8027fdabf6b923a5ef1a0dd5034a97027083df2122588918d1fc90efd18"
    
  4. Navigate to <PRODUCT_HOME>/bin and execute

    ./ciphertool.sh -Dconfigure
    

    Once the above steps are complete, the secret should be encrypted in the deployment.toml file as follows (secret value will differ from the example value below).

    [secrets]
    dashboard_password = "X+UWvPXSnrWCjQ1uj0a/5pqY9WP33leJJZofGHtf7VwG9v1ebj4PJ0P4K8X1hNDfPLIFeGSYjdeo4+4uECeDt898rzQGuy7FHy4UZW1X/xxpuc62WlrWYChfQNNmyCU0yDA9G2M232kR81kcU06FjkTX6oRE5lNxADQ/7KpMVDIuxl/09cR4hLp8b1O8obLfLcDw0J7Obd/3VYpQ9ITiPyRuFhN1+A8KzmKllld+bHYIFsCaEq2HorzjfbvYTevhL3ppPHKWbPOSZwhG0Yq0qiK3SuOk9o+/V2Yukxp7EKOh33DeSiB4u/quJm1lbvvWt3LylmzZ83oc5Ie2jb8riA=="
    
  5. Once configuration changes are completed, start the WSO2 Product packs.

Further, we have tested the general product use cases after incorporating this fix. However, please make sure to test your business use cases in development/test environments before proceeding to update the production environment.

Important

It is strongly recommended to migrate to the latest version of WSO2 API Manager and apply the relevant configurations if you are using WSO2 APIM 3.2.0.

REFERENCES