Critical WSO2 Vulnerability Exploited

THE THREAT

There is confirmed exploitation of the critical WSO2 vulnerability CVE-2022-29464 (CVSS: 9.8). WSO2 is an open-source technology provider that maintains a variety of products relating to Application Program Interface (API) and Identity management. CVE-2022-29464 is an unrestricted file upload vulnerability impacting multiple WSO2 products. Successful exploitation allows for unauthenticated Remote Code Execution (RCE). The vulnerability was initially disclosed on April 1^st, 2022, and in the wild exploitation was confirmed by CISA in late April.

Proof-of-Concept (PoC) exploits are publicly available for this vulnerability; as such, eSentire Threat Intelligence assesses that multiple threat actor groups are currently exploiting the vulnerability in real-world attacks. Organizations are strongly recommended to apply the mitigations outlined in the following “What you should do about it” section.

What we're doing about it

• eSentire MDR for Network has rules in place to identify exploitation attempts
• eSentire MDR for Endpoint detects actions commonly associated with post exploitation activity
• eSentire Managed Vulnerability Service has plugins in place to detect CVE-2022-29464
• Threat hunts have been performed based on Indicators of Compromise (IoCs) and known exploitation techniques
• Additional detections based on known Proof-of-Concept (PoC) exploits are under evaluation
• The eSentire Threat Intelligence team is actively tracking this vulnerability and associated threats for additional details and detection opportunities

What you should do about it

• After performing a business impact review, apply the relevant security patches provided by WSO2
  • Organizations without a Subscription for WSO2 Support or which are using End of Life products, should apply the patches provided through GitHub [3] [4] [5]
• If patching is currently not possible, alternative workarounds are available in the WSO2 advisory

Additional information

In order to exploit CVE-2022-29464, threat actor(s) would upload a malicious JSP (web shell) script to the vulnerable upload route /fileupload/toolsAny on the victim’s webserver and take the advantage of a path traversal (also known as directory traversal) vulnerability to write and run the web shell from the web root (for example repository/deployment/server/webapps). Public reporting suggests that to date, exploitation has resulted in the deployment of cryptocurrency-mining malware and web shells. Web shells and miner malware are often leveraged as early-stage payloads, prior to additional malicious activity. As PoC exploits are publicly available, there is the potential for widespread exploitation of CVE-2022-29464 in the near future.

Impacted WSO2 products:

• WSO2 API Manager 2.2.0 and above
• WSO2 Identity Server 5.2.0 and above
• WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
• WSO2 Identity Server as Key Manager 5.3.0 and above
• WSO2 Enterprise Integrator 6.2.0 and above
• WSO2 Open Banking AM 1.4.0 and above
• WSO2 Open Banking KM 1.4.0 and above

References

[1] https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
[2] https://www.cisa.gov/uscert/ncas/current-activity/2022/04/25/cisa-adds-seven-known-exploited-vulnerabilities-catalog
[3] https://github.com/wso2/carbon-kernel/pull/3152
[4] https://github.com/wso2/carbon-identity-framework/pull/3864
[5] https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/167