A significant vulnerability in Sitevision CMS, versions 10.3.1 and earlier, has been identified, allowing attackers to extract private keys used for signing SAML authentication requests.
The flaw, tracked as CVE-2022-35202, stems from the use of a Java keystore accessible via WebDAV and protected by an auto-generated, low-complexity password.
This vulnerability could potentially enable attackers to compromise authentication processes in certain configurations.
Discovery of the Vulnerability
The issue was uncovered when a WebDAV instance on a Sitevision site exposed a file named saml-keystore.
This file contained a Java keystore with both public and private keys for SAML authentication.
While the keystore was password-protected, the password was auto-generated with weak complexity limited to lowercase letters and digits, eight characters long.
Using tools like JksPrivkPrepare.jar to extract the password hash and Hashcat for brute force attacks, researchers successfully cracked the password within hours.
Exploitation and Impact
The extracted private key could theoretically be used to sign SAML authentication requests.
However, further analysis revealed that these keys were used specifically to sign SAML Authn requests, which initiate the SAML flow between Service Providers (SP) and Identity Providers (IdP).
The vulnerability’s impact depends on whether the IdP prioritizes signed Authn requests over pre-configured metadata.
An attacker exploiting this flaw could manipulate the AssertionConsumerServiceURL attribute in the Authn request to redirect authentication tokens to a malicious endpoint.
According to Shelltrail, this could grant unauthorized access to authenticated user sessions under certain conditions.
Sitevision addressed the vulnerability in version 10.3.2 by enforcing stronger password complexity for auto-generated passwords.
However, existing installations remain vulnerable unless administrators manually rotate passwords after upgrading.
The exposure of the saml-keystore file also depends on specific WebDAV configurations, which are not default but common among Sitevision deployments.
The vulnerability was responsibly disclosed by researcher Andreas Vikerup in May 2022.
Sitevision promptly released a patch and notified affected customers while coordinating with Sweden’s national CERT team (CERT-SE) due to the critical nature of services relying on their CMS, including government agencies.
This incident highlights the risks of weak password policies and improper configuration in widely used systems.
Organizations using Sitevision CMS are urged to upgrade to version 10.3.2 or later and ensure proper configuration of WebDAV access controls while rotating passwords for sensitive keystores.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here