A critical vulnerability has been discovered in Sitevision CMS, specifically affecting versions 10.3.1 and earlier. This flaw, identified as CVE-2022-35202, allows attackers to access private keys used for signing SAML authentication requests. The root of the problem lies in the usage of a Java keystore accessible through WebDAV, safeguarded by a low-complexity password that is automatically generated.
The potential consequences of this vulnerability are substantial, as it could lead to a compromise in authentication processes in certain setups. The vulnerability came to light when a WebDAV instance on a Sitevision site exposed a file named “saml-keystore,” containing both public and private keys for SAML authentication. Although the keystore was password-protected, the password was generated with weak complexity, consisting of only lowercase letters and digits, and limited to eight characters. Researchers were able to crack this password in a matter of hours using tools like JksPrivkPrepare.jar and Hashcat for brute force attacks.
If exploited, the extracted private key could be used to sign SAML authentication requests, specifically those related to SAML Authn requests that kickstart the SAML flow between Service Providers (SP) and Identity Providers (IdP). Depending on the configuration of the IdP and its prioritization of signed Authn requests over pre-configured metadata, an attacker could potentially manipulate certain attributes in the Authn request to redirect authentication tokens to a malicious endpoint. This unauthorized access to authenticated user sessions could occur under certain conditions, posing a significant security risk.
Sitevision took swift action to address this vulnerability in version 10.3.2 by strengthening password complexity for auto-generated passwords. However, it is crucial for administrators to manually rotate passwords post-upgrade as existing installations remain vulnerable. The exposure of the saml-keystore file is contingent on specific WebDAV configurations, which though not default, are common among Sitevision deployments.
The responsible disclosure of this vulnerability was made by researcher Andreas Vikerup in May 2022. Sitevision promptly released a patch and notified affected customers while working closely with Sweden’s national CERT team (CERT-SE) due to the critical implications for services relying on their CMS, such as government agencies. This incident underscores the dangers posed by weak password policies and improper system configurations, particularly in widely used platforms.
Organizations utilizing Sitevision CMS are strongly advised to upgrade to version 10.3.2 or later, ensuring the proper configuration of WebDAV access controls and rotating passwords for sensitive keystores. This proactive approach is vital in safeguarding against potential exploitation of vulnerabilities like CVE-2022-35202.
In conclusion, the discovery of this vulnerability serves as a reminder of the importance of maintaining robust security practices and promptly addressing identified weaknesses in software systems. By staying vigilant and proactive, organizations can mitigate the risks associated with cybersecurity threats and protect sensitive data from unauthorized access and exploitation.