Severe WSO2 SOAP Flaw Allows Unauthorized Password Resets for Any Use

Severe WSO2 SOAP Flaw Allows Unauthorized Password Resets for Any Use

A newly disclosed vulnerability, CVE-2024-6914, has shocked the enterprise software community, affecting a wide range of WSO2 products.

The flaw, rated with a CVSS score of 9.8 (Critical), stems from an incorrect authorization mechanism in the account recovery-related SOAP admin service.

This business logic error allows attackers to exploit the service and reset the password of any user account, including those with administrative privileges, resulting in a complete account takeover.

– Advertisement –

The vulnerability is specifically exploitable through SOAP admin services exposed under the /services context path.

If these endpoints are accessible from untrusted networks, attackers can remotely manipulate the account recovery process without requiring prior authentication.

The technical root of the issue lies in the mishandling of authorization checks during password reset operations, enabling unauthorized actors to invoke sensitive methods via SOAP requests.

Scope: Affected Products and Attack Vectors

CVE-2024-6914 impacts multiple major WSO2 offerings, including but not limited to:

  • WSO2 API Manager (versions 2.2.0 through 4.3.0)
  • WSO2 Identity Server (versions 5.3.0 through 7.0.0)
  • WSO2 Identity Server as Key Manager (various versions)
  • WSO2 Open Banking AM/IAM/KM (various versions)

The vulnerability is triggered when the SOAP admin service, particularly the deprecated UserInformationRecoveryService, is exposed to public or untrusted networks.

Attackers can craft SOAP requests to the /services/UserInformationRecoveryService endpoint and invoke password reset functions for arbitrary user accounts.

The following is an illustrative SOAP request that could be leveraged in an attack:

xml
   

   
      
         admin
         NewP@ssw0rd!

If the service is not properly restricted, this request could reset the password for the admin account, granting the attacker full control over the system.

Mitigation, Severity, and Vendor Response

WSO2 has acknowledged the vulnerability and released security advisories alongside update patches for all affected products.

The company urges customers to immediately restrict access to the /services context path from untrusted networks, following the “Security Guidelines for Production Deployment.”

When these guidelines are implemented and access is limited to trusted networks, the severity is reduced to High (CVSS 8.8), but the risk remains significant if endpoints are exposed.

For immediate mitigation, WSO2 recommends applying the latest patches or, as a temporary measure, updating configurations to require ‘admin’ permissions for the affected SOAP services.

Customers can verify the effectiveness of these fixes using the scripts provided in the official advisory.

Enterprises are also advised to audit their deployments for any exposure of the vulnerable endpoints and to monitor for unauthorized password reset attempts.

WSO2 credits the anonymous researcher working with Trend Micro Zero Day Initiative for responsibly reporting the issue.

Organizations using WSO2 products should act swiftly to remediate this vulnerability to prevent potential account takeovers and associated data breaches.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!


Source link