THE THREAT
There is confirmed exploitation of the critical WSO2 vulnerability CVE-2022-29464
(CVSS: 9.8). WSO2 is an open-source technology provider that maintains a variety of products relating to Application Program Interface (API) and Identity management. CVE-2022-29464 is an unrestricted file upload vulnerability impacting multiple WSO2 products. Successful exploitation allows for unauthenticated Remote Code Execution (RCE). The vulnerability was initially disclosed on April 1st, 2022, and in the wild exploitation was confirmed by CISA
in late April.
Proof-of-Concept (PoC) exploits are publicly available for this vulnerability; as such, eSentire Threat Intelligence assesses that multiple threat actor groups are currently exploiting the vulnerability in real-world attacks. Organizations are strongly recommended to apply the mitigations outlined in the following “What you should do about it” section.
What we're doing about it
- eSentire MDR for Network has rules in place to identify exploitation attempts
- eSentire MDR for Endpoint detects actions commonly associated with post exploitation activity
- eSentire Managed Vulnerability Service has plugins in place to detect CVE-2022-29464
- Threat hunts have been performed based on Indicators of Compromise (IoCs) and known exploitation techniques
- Additional detections based on known Proof-of-Concept (PoC) exploits are under evaluation
- The eSentire Threat Intelligence team is actively tracking this vulnerability and associated threats for additional details and detection opportunities
What you should do about it
- After performing a business impact review, apply the relevant security patches provided by WSO2
- Organizations without a Subscription for WSO2 Support or which are using End of Life products, should apply the patches provided through GitHub [3] [4] [5]
- If patching is currently not possible, alternative workarounds are available in the WSO2 advisory
Additional information
In order to exploit CVE-2022-29464, threat actor(s) would upload a malicious JSP (web shell) script to the vulnerable upload route /fileupload/toolsAny on the victim’s webserver and take the advantage of a path traversal (also known as directory traversal) vulnerability to write and run the web shell from the web root (for example repository/deployment/server/webapps). Public reporting suggests that to date, exploitation has resulted in the deployment of cryptocurrency-mining malware and web shells. Web shells and miner malware are often leveraged as early-stage payloads, prior to additional malicious activity. As PoC exploits are publicly available, there is the potential for widespread exploitation of CVE-2022-29464 in the near future.
Impacted WSO2 products:
- WSO2 API Manager 2.2.0 and above
- WSO2 Identity Server 5.2.0 and above
- WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
- WSO2 Identity Server as Key Manager 5.3.0 and above
- WSO2 Enterprise Integrator 6.2.0 and above
- WSO2 Open Banking AM 1.4.0 and above
- WSO2 Open Banking KM 1.4.0 and above
References
[1] https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
[2] https://www.cisa.gov/uscert/ncas/current-activity/2022/04/25/cisa-adds-seven-known-exploited-vulnerabilities-catalog
[3] https://github.com/wso2/carbon-kernel/pull/3152
[4] https://github.com/wso2/carbon-identity-framework/pull/3864
[5] https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/167
