SECURITY ADVISORY WSO2-2023-2617¶
Published: June 20, 2024
Version: 1.0.0
Severity: Critical
CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
AFFECTED PRODUCTS¶
- WSO2 Identity Server 5.10.0, 5.11.0, 6.0.0, 6.1.0
- WSO2 Identity Server as Key Manager 5.10.0
- WSO2 API Manager 3.2.0, 4.0.0, 4.1.0, 4.2.0
OVERVIEW¶
A potential default credential usage is identified.
DESCRIPTION¶
WSO2 Products have a set of internal Management REST APIs which are used to communicate between backend components. By default, these APIs are protected by a default password which is embedded into product configuration. It is required to change this default password with a secure password to prevent any unauthorized external client invoking these management APIs. However, WSO2 API Manager product documentation does not contain instructions to change this default password. Therefore, the default credential could be actively used in running deployments which is a security risk.
Changing default credentials relevant to WSO2 Identity Server is already covered under the Security Guidelines for Production Deployment under Configure client authentication section. Hence, WSO2 Identity Server deployments are considered unaffected. However, it's recommended to verify if security guidelines are applied properly in production environments.
In addition, above mentioned products do not cover configuration changes to be done when Secure Vault is enabled (e.g., 12). Relevant instructions are also made available with this advisory.
IMPACT¶
The custom authentication mechanism used in an internal Product Management REST API is currently undocumented and would require some specific information for successful invocation. Therefore, a malicious actor has to analyze the source code in order to identify how to perform an API invocation by using these credentials.
The successful exploitation could allow a malicious actor to impersonate and authenticate as a different targeted user (including an administrator, given the username of the administrator user is known to the malicious actor), and perform other operations that could impact the security of the system.
We do not have any evidence as of now that suggests this vulnerability is being exploited. However, you may follow the below steps to confirm whether the vulnerability has been exploited:
- Analyze the access logs of the load balancers or any intermediary component used for routing traffic to the WSO2 servers.
- Look for invocations made to
/api/
patterns and identify the IPs of the clients that accessed the protected resources. - Verify API invocations are from trusted IPs. To confirm, you may have to correlate with historical logs.
- If untrusted IPs are found, check for whether there are successful attempts (HTTP response status codes such as
200
, and201
). If you identify such requests, analyze all API resources that particular user tried out. This can be done by checking the actions performed in the audit.log of WSO2 servers within the timeframe of such requests.
- If untrusted IPs are found, check for whether there are successful attempts (HTTP response status codes such as
SOLUTION¶
WSO2 Subscription holders may refer to the below table. You should update your product to the specified update level or a higher update level to apply the fix.
Product Name | Product Version | Update Level |
---|---|---|
WSO2 API Manager | 4.2.0 | No need to get the update. You can directly apply the recommanded configurations. |
WSO2 API Manager | 4.1.0 | No need to get the update. You can directly apply the recommanded configurations. |
WSO2 API Manager | 4.0.0 | No need to get the update. You can directly apply the recommanded configurations. |
WSO2 API Manager | 3.2.0 | 270 |
WSO2 Identity Server | 6.1.0 | No need to get the update. You can directly apply the recommanded configurations. |
WSO2 Identity Server | 6.0.0 | No need to get the update. You can directly apply the recommanded configurations. |
WSO2 Identity Server | 5.11.0 | No need to get the update. You can directly apply the recommanded configurations. |
WSO2 Identity Server | 5.10.0 | 225 |
WSO2 Identity Server as Key Manager | 5.10.0 | 221 |
If you are an open-source user or using a product version that is EOL (End of License); You may migrate to the latest version of the product if the latest version is not listed under the affected products list.
Along with above code level fix/update, it is necessary to apply the below-given configurations according to the instructions provided, based on the relevant product.
Configuration Changes for WSO2 Identity Server¶
- WSO2 Identity Server 5.11.0, 6.0.0, 6.1.0, 5.10.0
- WSO2 Identity Server as Key Manager 5.10.0
Note
If you are not using Secure Vault 4, follow below steps to update the new password.
Following instructions are also already available in the Security Guidelines for Production Deployment documentation available at 4 5 6 7 . If you have already followed these instructions, the deployment is not vulnerable and no further action is required.
Please note that the instructions below assume that the new password is FjW8020nKEUdkzf. Please change the example value based on the password you choose.
- Stop the running WSO2 Product packs.
-
Add the following configuration changes to the
<PRODUCT_HOME>/repository/conf/deployment.toml
file:-
Add the
app_password
property value of[identity.auth_framework.endpoint]
to a preferred password. Please change the FjW8020nKEUdkzf example value to the new password.[identity.auth_framework.endpoint] app_password="FjW8020nKEUdkzf"
-
Add the SHA-256 hash value of the added
app_password
property value to thehash
property value of[account_recovery.endpoint.auth]
. a929a8027fdabf6b923a5ef1a0dd5034a97027083df2122588918d1fc90efd18 is the SHA-256 hash of the example password FjW8020nKEUdkzf. Please change the example value to the SHA-256 hash of the new password.toml [account_recovery.endpoint.auth] hash="a929a8027fdabf6b923a5ef1a0dd5034a97027083df2122588918d1fc90efd18"
-
Please follow the below steps if you have hosted Authentication Endpoint and Account Recovery Endpoint web applications external to the deployment.
-
If the Authentication Endpoint web application is hosted externally, open the
EndpointConfig.properties
file found in the root of theauthenticationendpoint
folder. Change theapp.password
property value to the value added asapp_password
in the deployment.toml file. And do the same changes to theEndpointConfig.properties
file located in the/WEB-INF/classes
directory. -
If the Account Recovery Endpoint web application is hosted externally, open the
RecoveryEndpointConfig.properties
file found in the root of theaccountrecoveryendpoint
folder. Change theapp.password
property value to the value added asapp_password
in the deployment.toml file. And do the same changes to theRecoveryEndpointConfig.properties
file located in the/WEB-INF/classes
directory.
-
-
-
Once configuration changes are completed, start the WSO2 Product packs.
Note
If you are using SecureVault 3, follow below steps to update and encrypt the new password.
Please note that the instructions below assume that the new password is FjW8020nKEUdkzf. Please change the example value based on the password you choose.
- Stop the running WSO2 Product packs.
- Add the following property to the deployment.toml file. If the
[identity.auth_framework.endpoint]
property is already defined, update the value to$secret{dashboard_password}
.[identity.auth_framework.endpoint] app_password="$secret{dashboard_password}"
-
Add the
dashboard_password
property to the[secrets]
block in the deployment.toml file. Please change the FjW8020nKEUdkzf example value to the new password.The [secrets] configuration section should be added at the very end of the deployment.toml file or else this will cause errors in server startup.
4. Add the following property to the deployment.toml file. a929a8027fdabf6b923a5ef1a0dd5034a97027083df2122588918d1fc90efd18 is the SHA-256 hash of the example password FjW8020nKEUdkzf. Please change the example value to the SHA-256 hash of the new password.[secrets] dashboard_password = "[FjW8020nKEUdkzf]"
5. Navigate to[account_recovery.endpoint.auth] hash="a929a8027fdabf6b923a5ef1a0dd5034a97027083df2122588918d1fc90efd18"
<PRODUCT_HOME>/bin
and execute./ciphertool.sh -Dconfigure
Once the above steps are complete, the secret should be encrypted in the deployment.toml file as follows (secret value will differ from the example value below).
[secrets] dashboard_password = "X+UWvPXSnrWCjQ1uj0a/5pqY9WP33leJJZofGHtf7VwG9v1ebj4PJ0P4K8X1hNDfPLIFeGSYjdeo4+4uECeDt898rzQGuy7FHy4UZW1X/xxpuc62WlrWYChfQNNmyCU0yDA9G2M232kR81kcU06FjkTX6oRE5lNxADQ/7KpMVDIuxl/09cR4hLp8b1O8obLfLcDw0J7Obd/3VYpQ9ITiPyRuFhN1+A8KzmKllld+bHYIFsCaEq2HorzjfbvYTevhL3ppPHKWbPOSZwhG0Yq0qiK3SuOk9o+/V2Yukxp7EKOh33DeSiB4u/quJm1lbvvWt3LylmzZ83oc5Ie2jb8riA=="
-
Once configuration changes are completed, start the WSO2 Product packs.
Configuration Changes for WSO2 API Manager¶
- WSO2 API Manager 4.0.0, 4.1.0, 4.2.0, 3.2.0
Please note that the instructions below assume that the new password is FjW8020nKEUdkzf. Please change the example value based on the password you choose.
Note
If you are not using Secure Vault 3, follow below steps to update the new password.
-
Stop the running WSO2 Product packs.
-
Add the following configuration changes to the
<PRODUCT_HOME>/repository/conf/deployment.toml
file:- Add the
app_password
property value of[identity.auth_framework.endpoint]
to a preferred password. Please change the FjW8020nKEUdkzf example value to the new password.[identity.auth_framework.endpoint] app_password="FjW8020nKEUdkzf"
- Add the SHA-256 hash value of the added
app_password
property value to thehash
property value of[account_recovery.endpoint.auth]
. a929a8027fdabf6b923a5ef1a0dd5034a97027083df2122588918d1fc90efd18 is the SHA-256 hash of the example password FjW8020nKEUdkzf. Please change the example value to the SHA-256 hash of the new password.[account_recovery.endpoint.auth] hash="a929a8027fdabf6b923a5ef1a0dd5034a97027083df2122588918d1fc90efd18"
- Add the
Please follow the below steps if you have hosted Authentication Endpoint and Account Recovery Endpoint web applications external to the deployment.
-
If the Authentication Endpoint web application is hosted externally, open the
EndpointConfig.properties
file found in the root of theauthenticationendpoint
folder. Change theapp.password
property value to the value added asapp_password
in the deployment.toml file. And do the same changes to theEndpointConfig.properties
file located in the/WEB-INF/classes
directory. -
If the Account Recovery Endpoint web application is hosted externally, open the
RecoveryEndpointConfig.properties
file found in the root of theaccountrecoveryendpoint
folder. Change theapp.password
property value to the value added as app_password in the deployment.toml file. And do the same changes to theRecoveryEndpointConfig.properties
file located in the/WEB-INF/classes
directory. -
Once configuration changes are completed, start the WSO2 Product packs.
Note
If you are using SecureVault 3, follow below steps to update and encrypt the new password.
Please note that the instructions below assume that the new password is FjW8020nKEUdkzf. Please change the example value based on the password you choose.
- Stop the running WSO2 Product packs.
- Add the following property to the deployment.toml file. If the
[identity.auth_framework.endpoint]
property is already defined, update the value to$secret{dashboard_password}
.[identity.auth_framework.endpoint] app_password="$secret{dashboard_password}"
-
Add the
dashboard_password
property to the[secrets]
block in the deployment.toml file. Please change the FjW8020nKEUdkzf example value to the new password.The [secrets] configuration section should be added at the very end of the deployment.toml file or else this will cause errors in server startup.
4. Add the following property to the deployment.toml file. a929a8027fdabf6b923a5ef1a0dd5034a97027083df2122588918d1fc90efd18 is the SHA-256 hash of the example password FjW8020nKEUdkz. Please change the example value to the SHA-256 hash of the new password.[secrets] dashboard_password = "[FjW8020nKEUdkzf]"
[account_recovery.endpoint.auth] hash="a929a8027fdabf6b923a5ef1a0dd5034a97027083df2122588918d1fc90efd18"
-
Navigate to
<PRODUCT_HOME>/bin
and execute./ciphertool.sh -Dconfigure
Once the above steps are complete, the secret should be encrypted in the deployment.toml file as follows (secret value will differ from the example value below).
[secrets] dashboard_password = "X+UWvPXSnrWCjQ1uj0a/5pqY9WP33leJJZofGHtf7VwG9v1ebj4PJ0P4K8X1hNDfPLIFeGSYjdeo4+4uECeDt898rzQGuy7FHy4UZW1X/xxpuc62WlrWYChfQNNmyCU0yDA9G2M232kR81kcU06FjkTX6oRE5lNxADQ/7KpMVDIuxl/09cR4hLp8b1O8obLfLcDw0J7Obd/3VYpQ9ITiPyRuFhN1+A8KzmKllld+bHYIFsCaEq2HorzjfbvYTevhL3ppPHKWbPOSZwhG0Yq0qiK3SuOk9o+/V2Yukxp7EKOh33DeSiB4u/quJm1lbvvWt3LylmzZ83oc5Ie2jb8riA=="
-
Once configuration changes are completed, start the WSO2 Product packs.
Further, we have tested the general product use cases after incorporating this fix. However, please make sure to test your business use cases in development/test environments before proceeding to update the production environment.
Important
It is strongly recommended to migrate to the latest version of WSO2 API Manager and apply the relevant configurations if you are using WSO2 APIM 3.2.0.
REFERENCES¶
-
https://is.docs.wso2.com/en/6.1.0/deploy/security/encrypt-passwords-with-cipher-tool/ ↩
-
https://apim.docs.wso2.com/en/4.2.0/install-and-setup/setup/mi-setup/security/encrypting_plain_text/ ↩
-
https://is.docs.wso2.com/en/6.1.0/deploy/security/encrypt-passwords-with-cipher-tool/ ↩↩↩
-
https://is.docs.wso2.com/en/5.10.0/administer/product-level-security-guidelines/#configuring-client-authentication ↩↩
-
https://is.docs.wso2.com/en/5.11.0/administer/product-level-security-guidelines/#configuring-client-authentication ↩
-
https://is.docs.wso2.com/en/6.0.0/deploy/security/product-level-security-guidelines/#configure-client-authentication ↩
-
https://is.docs.wso2.com/en/6.1.0/deploy/security/product-level-security-guidelines/#configure-client-authentication ↩