A significant vulnerability in Sitevision CMS, versions 10.3.1 and earlier, has been identified, allowing attackers to extract private keys used for signing SAML authentication requests.
The flaw, tracked as CVE-2022-35202, stems from the use of a Java keystore accessible via WebDAV and protected by an auto-generated, low-complexity password.
This vulnerability could potentially enable attackers to compromise authentication processes in certain configurations.
The issue was uncovered when a WebDAV instance on a Sitevision site exposed a file named saml-keystore.
This file contained a Java keystore with both public and private keys for SAML authentication.
While the keystore was password-protected, the password was auto-generated with weak complexity limited to lowercase letters and digits, eight characters long.
Using tools like JksPrivkPrepare.jar to extract the password hash and Hashcat for brute force attacks, researchers successfully cracked the password within hours.
The extracted private key could theoretically be used to sign SAML authentication requests.
However, further analysis revealed that these keys were used specifically to sign SAML Authn requests, which initiate the SAML flow between Service Providers (SP) and Identity Providers (IdP).
The vulnerability’s impact depends on whether the IdP prioritizes signed Authn requests over pre-configured metadata.
An attacker exploiting this flaw could manipulate the AssertionConsumerServiceURL attribute in the Authn request to redirect authentication tokens to a malicious endpoint.
According to Shelltrail, this could grant unauthorized access to authenticated user sessions under certain conditions.
Sitevision addressed the vulnerability in version 10.3.2 by enforcing stronger password complexity for auto-generated passwords.
However, existing installations remain vulnerable unless administrators manually rotate passwords after upgrading.
The exposure of the saml-keystore file also depends on specific WebDAV configurations, which are not default but common among Sitevision deployments.
The vulnerability was responsibly disclosed by researcher Andreas Vikerup in May 2022.
Sitevision promptly released a patch and notified affected customers while coordinating with Sweden’s national CERT team (CERT-SE) due to the critical nature of services relying on their CMS, including government agencies.
This incident highlights the risks of weak password policies and improper configuration in widely used systems.
Organizations using Sitevision CMS are urged to upgrade to version 10.3.2 or later and ensure proper configuration of WebDAV access controls while rotating passwords for sensitive keystores.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here
In a recent development, the SPAWNCHIMERA malware family has been identified exploiting the buffer overflow…
Chinese cybersecurity entities have accused the U.S. National Security Agency (NSA) of orchestrating a cyberattack…
The ACRStealer malware, an infostealer disguised as illegal software such as cracks and keygens, has…
A security vulnerability in Nagios XI 2024R1.2.2, tracked as CVE-2024-54961, has been disclosed, allowing unauthenticated…
Ubiquiti Networks has issued an urgent security advisory (Bulletin 046) warning of multiple critical vulnerabilities…
A critical security flaw in Fluent Bit, a widely adopted log processing and metrics collection…