CoreWCF: WS-Security signature substitution via document-wide Signature lookup
🔗 CVE IDs covered (1)
📋 Description
Impact
An unauthenticated remote attacker who can place a SOAP header lexically before wsse:Security can embed a ds:Signature of their choosing inside that header and cause the server to verify the attacker-supplied signature instead of the one carried in the security header.
Preconditions
Exploitation requires the endpoint be configured with an endorsing supporting token binding, and the attacker constructs a ds:Signature whose KeyInfo resolves through the receive-side token resolver to a key under the attacker’s control. Both are conditions outside the attacker’s direct control on a generic deployment.
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
Use a security token resolver that only accepts references to issuer-pinned X.509 chains (the default when expecting a static set of signing certificates).
🎯 Affected products2
- nuget/CoreWCF.Primitives:< 1.8.1
- nuget/CoreWCF.Primitives:>= 1.9.0, < 1.9.1