Vulnerability check for CVE-2022-47966
Would like to confirm and make sure whether CA Siteminder (CA Single Sign-On) is vulnerable to this CVE (CVE-2022-47966) or not?
------ CVE Identifier : CVE-2022-47966
CVE-2022-47966 arises due to improper verification of cryptographic signatures within the third party dependency Apache Santuario xmlsec XSLT, used by ManageEngine Products. Successful exploitation of the vulnerability requires an attacker to send a specially crafted SAML request to a vulnerable device. Exploitation of ManageEngine AD products require an attacker to determine a valid issuer and GUID to pass to the vulnerable system. This vulnerability is applicable only when SAML SSO is/was enabled in ManageEngine Setup.
The patches for this vulnerability were released in November 2022 itself. But POC and active exploitation of this vulnerability was only seen last week. Variety of Post-Exploitation activity such as PowerShell deployment to disable Microsoft Defender real-time protection and also adding “C:\Users\Public folder” to Defender's exclusion lists, has been seen. And to potentially bypass firewalls, threat actors have also been seen, deploying a tunneling tool named chisel.
In the following list of impacted products, the vulnerability is,
* - Applicable only if configured SAML-based SSO and it is currently active.
** - Applicable only if configured SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.
Release: Applicable to all the supported CA Siteminder releases.
Component: CA Siteminder Policy Server and/or Agent.
The CVE talks about Zoho ManageEngine on-premise products which are vulnerable due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, more information on vulnerable product can be found in link given below.
------ CA Siteminder (CA Single Sign-On) will not use any of these products OOTB (Out of the Box).
Hence this CVE i.e. CVE-2022-47966 is not applicable to CA Siteminder Products and we are NOT vulnerable.
Snippet for your reference: