A critical security flaw in Sitevision CMS versions 10.3.1 and older has exposed SAML authentication signing keys, enabling potential authentication bypass and session hijacking.
The vulnerability, tracked as CVE-2022-35202, stems from weak auto-generated passwords protecting Java keystores, which could be extracted and brute-forced to compromise private keys.
Sitevision, a widely adopted content management system in Sweden’s public sector and enterprise environments, relies on SAML for secure authentication flows.
This vulnerability highlights systemic risks in automated credential generation and WebDAV misconfigurations. The vulnerability chain begins with Sitevision’s use of WebDAV for content management.
In non-default configurations, the /webdav/files/ directory became accessible, exposing a saml-keystore file containing cryptographic keys for SAML Authn request signing.
This Java keystore (JKS) uses an 8-character auto-generated password with lowercase letters and digits, making it susceptible to brute-force attacks.
Analysts at ShellTrail identified that the adversaries could retrieve the keystore’s SHA1 password hash using tools like JksPrivkPrepare.jar, then crack it via GPU-accelerated tools like Hashcat.
For example:-
bash hashcat -m 15500 -a 3 saml-keystore.hash -1 ?d?l ?1?1?1?1?1?1?1?1 -w 3 -O
This command targets the 8-character alphanumeric space, cracking the hash in ~15 hours on moderate hardware. Once decrypted, the oiosaml private key allows signing malicious SAML Authn requests.
Exploitation Mechanics and SAML Flow Manipulation
The compromised private key enables attackers to forge SAML Authn requests with malicious AssertionConsumerServiceURL values.
While SAML 2.0 requires Identity Providers (IdPs) to validate this URL against pre-registered SP metadata, some IdPs prioritize signed requests over metadata checks.
.webp)
This allows redirection of authentication tokens to attacker-controlled endpoints, hijacking user sessions.
The WebDAV directory listing exposes saml-keystore, while the Hashcat cracks the JKS password.
.webp)
The keystore’s contents can be inspected using Java’s keytool:-
bash keytool -list -keystore saml-keystore
Output reveals the oiosaml PrivateKeyEntry, confirming the key’s role in SAML signing.
Sitevision patched the vulnerability in version 10.3.2 by enforcing stronger passwords, though existing installations require manual rotation.
Organizations using SAML must ensure IdPs validate AssertionConsumerServiceURL against metadata, irrespective of request signatures.
As a result of this, administrators should immediately:-
- Upgrade to Sitevision 10.3.2+ and manually rotate
saml-keystorepasswords. - Audit WebDAV configurations to restrict unauthorized access.
- Coordinate with IdP vendors to enforce metadata-based URL validation.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here