A critical vulnerability in Sitevision CMS, identified as CVE-2022-35202, has been discovered, potentially exposing private signing keys used for SAML authentication.
The flaw, present in versions 10.3.1 and earlier, arises from the use of auto-generated, low-complexity passwords to secure Java keystores.
These keystores, accessible via improperly configured WebDAV instances, can be exploited by attackers to extract private keys and compromise authentication processes.
Exploitation Pathway: WebDAV and Keystore Weaknesses
Sitevision, a widely used CMS platform in Sweden for government agencies and private organizations, relies on WebDAV for content management.
In certain configurations, attackers can access the “saml-keystore” file stored on WebDAV servers.
This file contains private keys used in SAML Authn requests, protected by weak passwords limited to lowercase letters and digits with a length of just eight characters.
Security researchers demonstrated that the password hash stored in the keystore could be extracted using tools like JksPrivkPrepare.jar and cracked offline with brute-force techniques.
Utilizing a high-performance password-cracking rig, researchers successfully retrieved the password within hours, exposing the private key and enabling potential misuse.
Implications of the Vulnerability
The compromised private key allows attackers to manipulate SAML Authn requests by altering critical attributes such as the AssertionConsumerServiceURL.
According to Shelltrail, this manipulation could redirect authentication tokens to malicious endpoints, potentially granting attackers unauthorized access to user sessions.
However, the impact depends on how the Identity Provider (IdP) prioritizes signed requests over pre-configured metadata during authentication flows.
While Sitevision clarified that these keys are used only for signing Authn requests not SAML responses this vulnerability still poses significant risks in specific configurations where signed requests are prioritized by IdPs.
Sitevision addressed this vulnerability by increasing password complexity requirements starting from version 10.3.2.
However, existing installations remain vulnerable unless manual password rotation is performed during upgrades.
The vulnerability was responsibly disclosed by security researcher Andreas Vikerup in May 2022, with Sitevision releasing a patch shortly after.
Despite efforts to notify affected customers, some systems remained unpatched even two years later.
The absence of publicly available information about CVE-2022-35202 until now has hindered broader awareness and remediation efforts.
Given Sitevision’s role in critical national infrastructure, including services like the Swedish Tax Agency, extended disclosure timelines were implemented to prevent exploitation before patches were widely applied.
This incident underscores the importance of strong password policies and proper configuration management in safeguarding sensitive systems against exploitation.
