External risk intelligence

WSO2 Products: Remote Code Execution Via File Upload.

CVE advisoryKnown Exploit

CVE-2022-29464

A vulnerability in certain WSO2 products allows for unrestricted file uploads, leading to remote code execution. This could impact affected systems and data by enabling unauthorized access and control. The business risk is significant due to the potential compromise of sensitive information and operations.

5Halo Surface Signal

Path Traversal

Wso2 Api Manager

2.2.0 to 4.0.06.2.0 to 6.6.05.2.0 to 5.11.05.4.05.4.15.5.05.6.05.3.0 to 5.10.01.3.0 to 2.0.02.0.01.3.0 to 1.5.0

External exposure likelihood

Halo Surface Signal score for CVE-2022-29464

The affected WSO2 products include API Managers, Identity Servers, and Open Banking gateways, which are specifically designed as public-facing infrastructure to handle external traffic, authentication, and integration services, making them highly likely to be exposed to the internet.

Horizon Alert

Summary of the vulnerability and why it matters

Certain WSO2 products contain a vulnerability that allows for unrestricted file uploads. This flaw enables attackers to upload malicious files, which can then lead to the execution of arbitrary code on the affected systems. The primary impact is the potential for unauthorized code execution within the business environment.

Vulnerable WSO2 products
Unrestricted file upload weakness
Remote code execution impact

Attack Path

How an attacker could exploit the issue

A vulnerability in certain WSO2 products allows for the upload of unrestricted files, leading to the potential for remote code execution. An attacker can exploit this by targeting a specific file upload endpoint. By manipulating the request, an attacker can bypass security controls and place a malicious file in a location that allows for code execution. This could impact the confidentiality, integrity, and availability of affected systems and data.

Exposure condition: WSO2 products exposed to the internet.
Attacker starting point: Network access to a file upload endpoint.
Trigger and result: Unrestricted file upload leading to code execution.

Live Threat

Current exploitation, exposure, and threat context

The identified vulnerability allows for unrestricted file uploads, which can lead to remote code execution. Attackers can exploit this by uploading malicious files through a specific endpoint. This could enable unauthorized access and control over affected systems, posing a significant business risk.

Likely attacker skill level: Low
Required access or conditions: Publicly accessible endpoint
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability permits unauthorized file uploads, potentially leading to remote code execution within affected WSO2 products. Attackers can exploit this by leveraging a specific directory traversal sequence targeting the `/fileupload` endpoint. The impact could include the compromise of systems, data, and business operations.

Identify exposed WSO2 assets.
Reduce exposure or isolate risk.
Apply vendor fix, verify, and monitor.

Frequently asked questions

Which WSO2 products are vulnerable to CVE-2022-29464?

CVE-2022-29464 affects several WSO2 products including API Manager (versions 2.2.0 to 4.0.0), Identity Server (versions 5.2.0 to 5.11.0), Identity Server Analytics (versions 5.4.0 to 5.6.0), Identity Server as Key Manager (versions 5.3.0 to 5.11.0), Enterprise Integrator (versions 6.2.0 to 6.6.0), and Open Banking AM and KM (versions 1.3.0 to 2.0.0).

What is the weakness classification for CVE-2022-29464?

CVE-2022-29464 is classified as CWE-22, which represents an improper limitation of a pathname to a restricted directory or the user's home directory.

How can CVE-2022-29464 be exploited?

Exploitation involves using a file upload endpoint with a Content-Disposition directory traversal sequence. This allows an attacker to place a malicious file in a web root directory, leading to remote code execution.

What is the relevance of CVE-2022-29464 according to Halo Surface Signal?

Halo Surface Signal indicates a 'Very likely' exposure risk for CVE-2022-29464 because the affected WSO2 products, such as API Managers and Identity Servers, are typically internet-facing and handle external traffic and authentication.

What practical steps should be taken regarding CVE-2022-29464?

Organizations should identify exposed WSO2 assets, reduce their exposure or isolate them, and apply the vendor's provided fixes. Continuous monitoring after applying patches is also recommended.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.