Zoho ManageEngine SAML Response RCE Vulnerability
SonicWall Capture Labs Threat Research Team has observed the following threat:
ManageEngine is a subsidiary of Zoho Corporation that provides IT management software for businesses. The company offers a range of products for network, systems, applications, security, and service desk management. ManageEngine's solutions aim to help organizations simplify and automate their IT operations, allowing them to focus on their core business objectives.
Apache Santuario is an open-source implementation of the XML Security specifications. It provides a library for securing XML documents, including signing and encryption, and offers a secure and stable XML security solution. Santuario is used by various software projects, including the Apache Axis2 Web services engine, to secure their XML communications. It is apart of the Apache Software Foundation and is governed by it's open-source community.
A remote code execution vulnerability has been reported in multiple Zoho ManageEngine products. The vulnerability is due to an outdated version of Apache Santuario in the impacted products allowing an attacker to execute XSLT in SAML response messages.
A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation could result in arbitrary code execution under the security context of SYSTEM.
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-47966.
Common Vulnerability Scoring System (CVSS):
The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).
Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is changed.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.
Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is functional.
• The remediation level of this vulnerability is official fix.
• The report confidence level of this vulnerability is confirmed.
Before understanding this vulnerability it's important to research the key technologies below:
1. SAML SSO (Security Assertion Markup Language Single Sign-On)
2. SAML 2.0
3. XSLT (eXtensible Stylesheet Language Transformations)
4. Apache Xalan
SAML SSO is a protocol that allows users to authenticate to multiple web applications using a single set of credentials. This technology provides a secure and convenient way for users to access multiple web applications with a single login, which is managed by a central identity provider. SAML SSO eliminates the need for users to remember and manage multiple sets of login credentials, which can improve the user experience and reduce the risk of password-related security breaches.
SAML 2.0 is the latest version of the SAML standard and includes a number of improvements over SAML 1.1, making it the dominant standard for SSO. SAML 2.0 provides greater security, improved encryption and signing, and a more flexible data format, making it well-suited to a wide range of use cases. This technology is widely adopted by organizations of all sizes and is supported by a large number of identity providers and service providers.
XSLT is a language used to transform XML (eXtensible Markup Language) documents into other formats. XSLT is used to define a set of rules for transforming the structure and content of an XML document into a different format that can be more easily displayed or processed. This technology is commonly used in conjunction with XML to create dynamic, data-driven websites, generate reports, and transform XML data into other formats for data exchange between systems. XSLT provides a powerful way to manipulate and display XML data, making it an essential tool for many XML-based applications.
Apache Xalan is an open-source implementation of the XSLT and XML Path Language (XPath) standards. It provides a library for transforming XML documents into other formats, such as HTML, plain text, or XML with a different structure. Apache Xalan is written in Java and is part of the Apache XML Project, which is maintained by the Apache Software Foundation. This technology is widely used in a variety of applications for transforming and processing XML data, including for generating reports, transforming data for data exchange between systems, and creating dynamic, data-driven websites. Apache Xalan provides a high-performance, flexible, and easy-to-use solution for transforming XML data.
The vulnerability is due to the server processing user XSLT transformations received in SAML responses. When an identity provider authenticates a user through SAML SSO on Key Manager Plus, it will send a request to the endpoint "/saml2" on the server and will be processed by the function service().
Before a transformation is executed, the function checkSecureValidation() is called. This function will check if secureValidation in the Transform object is set to "true" and if the "Algorithm" attribute of the "transform" XML element is set to "http://www.w3.org/TR/1999/REC-xslt-19991116" corresponding to an XSLT transformation. If both are true, the function will throw an exception, as XSLT transformation are forbidden when secureValidation is enabled. If the checkSecureValidation() function does not throw an exception, the functions t.performTransform() and transformSpi.enginePerformTransform() will be called to execute the transform.
The function enginePerformTransform() will be called to execute the XSLT transformation. The function will call selectNode() to find the stylesheet XML element containing the transformation. The function TransformerFactor.newInstance() is called to create a TransformerFactory object. The function setFeature() is called on the TransformerFactory object with the parameters "http://javax.xml.XMLConstants/feature/secureprocessing" and "Boolean.TRUE" to enable secure processing in Apache Xalan where the XSLT will be executed. The function transform() will be called to execute the XSLT in the transform element. However, the version of Apache Xalan included in the impacted version KeyManager Plus is vulnerable to CVE-2014-0107. This vulnerability allows an attacker to bypass some restrictions imposed by secure processing on a TransformerFactory object by using certain attributes such as "content-handler" that can load arbitrary classes, possibly leading to arbitrary code execution.
As secureValidation in the included version of Apache Santuario is set to false by default, and secure processing can be bypassed in the included version of Apache Xalan an attacker can send a crafted SAML response to the target containing an XML "Transform" element containing an arbitrary XSLT transformation.
Triggering the Problem:
• The attacker must have network access to the target server.
• The target must be running a vulnerable version of the software.
• The target server must have SAML SSO enabled.
The attacker sends a crafted SAML response to the target server. The vulnerability is triggered when the server validates the response and executes XSLT in a transformation in the XML.
The following application protocols can be used to deliver an attack that exploits this vulnerability:
SonicWall's, (IPS) Intrusion Prevention System, provides protection against this threat:
• IPS: 3481 ManageEngine products xmlsec Remote Code Execution 1
• IPS: 3491 ManageEngine products xmlsec Remote Code Execution 2
• IPS: 18881 ManageEngine products xmlsec Remote Code Execution 3
The risks posed by this vulnerability can be mitigated or eliminated by:
• Upgrading the product to a non-vulnerable version.
• Filtering traffic based on the signatures above.
• Disabling SAML SSO if not needed.
• Blocking the affected ports from external network access if they're not required.
The vendor has released the following advisory regarding this vulnerability: