Securing MidPoint 4.8: A Collaborative Effort - Evolveum | Open Source Identity Management & Governance

In a collaborative effort to bolster the security of midPoint, a grant provided by the NGI Zero Review program enabled us to cooperate with Radically Open Security, who performed an extensive security penetration testing exercise. This initiative underscores our commitment to fortifying midPoint against potential threats. Their expertise revealed a number of security weaknesses, each serving as a valuable lesson in our ongoing quest for resilience. In this article we will discuss the identified security flaws, their implications, and the subsequent steps we undertook to strengthen midPoint, offering transparency into the process of enhancing its overall security posture.*

The penetration testing started with midPoint 4.7.1, since the development of the 4.8 release was still in progress. It revealed a critical Cross-Site Scripting (XSS) vulnerability. This issue was discovered in the audit log functionality and, when combined with the Query Playground feature, could allow an attacker to execute custom code if an administrator reviewed specific audit logs. Recognizing the severity of this finding, immediate action was taken. The development of midPoint 4.8 included a fix for this vulnerability, ensuring its resolution. Furthermore, to safeguard users of the previous version, a security advisory was promptly released and accompanied by a maintenance update for the affected midPoint 4.7.

Findings by Radically Open Security

During white-box testing, Radically Open Security found 3 High, 7 Elevated, and 8 Low-severity issues, most of which were already resolved as of midPoint 4.8.3. The list of findings is provided in two sections: generic findings and configuration specific findings, and it describes security issues caused by some configurations of the Identity Recovery and Password Reset features.

Generic Findings Affecting All Configurations

High Severity Findings

(Resolved) Stored Cross-Site Scripting (XSS) in several forms: JavaScript code injection is possible in several forms, executed in the context of an administrator session via an audit log,
- Impact: The server is completely compromised when an attack is chained with the Query Playground feature.
- Resolution: As mentioned above, this issue was fixed in midPoint 4.7.2, and we released a security advisory.
(Ongoing fixes) Remote Code Execution in filter expressions: The execution of a custom Groovy script in filter expressions in the configuration and Query Playground allows arbitrary command execution. GUI search boxes are not affected by this vulnerability since they do not allow code.
(Ongoing fixes) Remote Code Execution in the experimental Mapping Playground: The experimental Mapping Playground allows arbitrary code execution.

Groovy Expressions are a powerful and core feature of midPoint for most of the deployments, so we have continuous efforts to improve their security. However, their presence still poses potential security risks, and access to enter them and modify them should be granted only if necessary.

Elevated Severity Findings

(Resolved) Hardcoded default administrator password: MidPoint is initiated with a default admin password (5ecr3t).
- Impact: An easy takeover of new installations if the default password is not changed.
- Resolution: In midPoint 4.8.1 we introduced an initial generated password along with several ways to inject a custom initial password when first starting up midPoint. See Administrator Initial Password for details.
(Partially Resolved) Missing Content-Security-Policy HTTP header: MidPoint does not use Content-Security-Policy header.
- Impact: An increased risk of XSS attacks.
- Resolution: We introduced a Content-Security-Policy that is as strict as possible, but the strictest form would require more implementation changes and efforts, which are in progress.
(Open) Missing Rate Limits: Default midPoint deployments do not rate-limit user requests to Password Reset or Identity Recovery.
- Impact: An increased risk of brute-force attacks.
- Recommendation: We issued the recommendation to use a rate-limiting proxy if these features are used as part of our Securing MidPoint Deployments webinar.
(Disputed) Internal Configuration script execution: Execution of shell scripts via system configuration. MidPoint system configuration allows administrators to customize the shell scripts used to access JVM options.
- Impact: Arbitrary code execution on the server.
- Recommendation: Restrict script execution permissions and validate configurations.

Low Severity Findings

(Resolved) Verbose error reporting enabled on the production release: Detailed error messages exposed in the end-user GUI.
- Impact: Information leakage.
- Resolution: In 4.8.1 we introduced the configuration option to disable stacktrace error messages for end users.
(Resolved) Style injection in the Header Color setting: Style injection vulnerability in the system configuration header color setting.
- Impact: Potential for XSS attacks.
- Resolution: In 4.8.1 we introduced the sanitization of user provided input for style settings.
(Resolved) CSRF user logout: A CSRF attack in the same browser can log users out by trying to access the REST endpoint.
- Impact: User sessions can be terminated without consent.
- Resolution: This issue was fixed by REST not causing the users to be logged out of the GUI session.
(Resolved) — A weak default password policy: A weak default password policy allows easily guessable passwords.
- Impact: Accounts are vulnerable to brute-force attacks.
- Resolution: In 4.8.1 we introduced a new stricter default password policy.
(Resolved) — The same origin iframe not blocked: A lack of X-Frame-Options or CSP headers.
- Impact: Vulnerability to clickjacking and CSRF.
- Resolution: MidPoint 4.8 and later versions use X-Frame-Options: A DENY response header.
(Resolved) Verbose error output on failed identity recovery: Detailed error messages on identity recovery failure.
- Impact: Information leakage.
- Resolution: The issue was resolved in the final midPoint 4.8 relase.
(Open) A username appears in the browser history after identity recovery: the user’s account name appears as a URL query parameter in the local device’s browser history.
- Description: Username leaks in the browser history.
- Impact: Potential privacy issues.
- Recommendation: Avoid including sensitive information in URLs.

Configuration Specific Findings

Radically Open Security also tested different configurations of midPoint for the Password Reset and Identity Recovery processes, which prompted us to create the Securing MidPoint Deployments webinar, where we discussed recommendations to avoid the following misconfigurations.

Password reset security questions ignored: Security questions in the Password Reset process are seemingly ignored.
- Impact: Unauthorized password resets.
- Recommendation for deployments: Ensure security questions are mandatory and correctly validated. Do not use security questions as sufficient authorization.
Disputed: — Account recovery allows resolving identifiers to the account name: An example configuration used a National ID. The Identity Recovery feature:
- Description: A national ID can be used to find account names.
- Impact: Potential privacy violations.
- Recommendation for deployments: Consider the Identity Recovery feature as a potential attack vector, since based on your configuration it allows for enumeration attacks. Consider deploying a rate-limiting proxy and review your audit log for Information Disclosure events that contains the list of disclosed (recovered) identities.
The weakest account recovery mechanism: When multiple identity recovery options are configured, an attacker can select the weakest account recovery mechanism to compromise security.
- Impact: An increased risk of unauthorized account access.
- Recommendation for deployments: When designing your Identity Recovery process, also consider it from the security perspective and avoid adding options, which could compromise other stricter Identity Recovery flows.

Conclusion

In conclusion, the security penetration testing conducted by Radically Open Security that was made possible by funding from the NGI Zero Review played a pivotal role in fortifying the midPoint platform. The testing process uncovered a range of vulnerabilities, from high to low severity, each of which was addressed with meticulous attention. The findings prompted swift and comprehensive responses, including fixes, security advisories, and thoughtful recommendations for deployments.

This collaborative effort, coupled with responsible vulnerability disclosures from our dedicated community, underscores a strong and ongoing commitment to enhancing midPoint’s security posture and safeguarding user data and privacy. With each iteration, midPoint evolves into an even more robust and secure identity governance solution, ensuring organizations can trust midPoint to protect their sensitive information. We extend our gratitude to the NGI Zero Review program and our community for their invaluable contributions to this process.

*Active subscribers can request the report at sales@evolveum.com

Name	Provider	Purpose	Expiry	More information
PHPSESSID	Evolveum s.r.o.	Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.	When you close your browser
moove_gdpr_popup	Evolveum s.r.o.	When this Cookie is enabled, these Cookies are used to save your Cookie Setting Preferences. You can enable or disable your Cookie Settings on our website at anytime via Cookie Settings.	1 year	Read more
wordpress_test_cookie	Evolveum s.r.o.	Tests that the browser accepts cookies.	Session	Read more
wp-settings-[user_id]	Evolveum s.r.o.	Used to preserve user’s wp-admin settings	1 year	Read more
wordpress_[hash]	Evolveum s.r.o.	On login, WordPress uses the wordpress_[hash] cookie to store your authentication details. Its use is limited to the Administration Screen area, /wp-admin/	Session	Read more
wordpress_logged_in_[hash]	Evolveum s.r.o.	Remember User session	Session	Read more
wordpress_sec_[hash]	Evolveum s.r.o.	This cookie is used to store your authentication details. Its use is limited to the admin console area, /wp-admin/	Session	Read more
wp-postpass_[hash]	Evolveum s.r.o.	This cookie is used to grant access to password protected areas of the site.	10 days
wp-settings-time-[user_id]	Evolveum s.r.o.	The number on the end is your individual user ID from the user’s database table. This is used to customize your view of admin interface, and possibly also the main site interface.	1 year	Read more

Name	Provider	Purpose	Expiry	More information
woocommerce_cart_hash	Evolveum s.r.o.	Helps WooCommerce determine when cart contents/data changes.	When you close your browser	Read more
woocommerce_items_in_cart	Evolveum s.r.o.	Helps WooCommerce determine when cart contents/data changes.	When you close your browser	Read more
wp_woocommerce_session_[hash]	Evolveum s.r.o.	Contains a unique code for each customer so that it knows where to find the cart data in the database for each customer.	2 days	Read more
tk_ai	Evolveum s.r.o.	Stores a randomly-generated anonymous ID. This is only used within the dashboard (/wp-admin) area and is used for usage tracking, if enabled.	Session	Read more
comment_author_{HASH} comment_author_email_{HASH} comment_author_url_{HASH}	Evolveum s.r.o.	When visitors comment on your blog, they too get cookies stored on their computer. This is purely a convenience, so that the visitor won’t need to re-type all their information again when they want to leave another comment.	These are set to expire a little under one year from the time they’re set.	Read more

Findings by Radically Open Security

Generic Findings Affecting All Configurations

High Severity Findings

Elevated Severity Findings

Low Severity Findings

Configuration Specific Findings

Conclusion

Leave a Reply Cancel reply

Cookie settings

Strictly necessary

Third party

Technical