CVE-2023-6578 in WebMethods
Summary
by MITRE • 12/07/2023
A vulnerability classified as critical has been found in Software AG WebMethods 10.11.x/10.15.x. Affected is an unknown function of the file wm.server/connect/. The manipulation leads to improper access controls. It is possible to launch the attack remotely. To access a file like /assets/ a popup may request username and password. By just clicking CANCEL you will be redirected to the directory. If you visited /invoke/wm.server/connect, you'll be able to see details like internal IPs, ports, and versions. In some cases if access to /assets/ is refused, you may enter /assets/x as a wrong value, then come back to /assets/ which we will show the requested data. It appears that insufficient access control is depending on referrer header data. VDB-247158 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/30/2023
This critical vulnerability in Software AG WebMethods 10.11.x/10.15.x represents a severe access control flaw that enables remote exploitation through improper authentication mechanisms. The vulnerability exists within the wm.server/connect/ component and manifests through insufficient validation of referrer header data, allowing attackers to bypass intended security controls. The flaw specifically affects the file path handling within the web application's server-side components, creating a pathway for unauthorized information disclosure and potential privilege escalation.
The technical implementation of this vulnerability stems from inadequate input validation and access control enforcement within the web application's authentication flow. When users navigate to protected resources such as /assets/ or /invoke/wm.server/connect/, the application relies on referrer headers to determine access permissions rather than implementing proper session-based authentication controls. This design flaw allows attackers to manipulate their browser's referrer header values or exploit the application's response to malformed requests to gain access to sensitive internal information. The vulnerability demonstrates characteristics consistent with CWE-285 Improper Authorization and CWE-352 Cross-Site Request Forgery vulnerabilities, where the application fails to properly verify user credentials and authorization status.
The operational impact of this vulnerability extends beyond simple information disclosure to potentially enable more sophisticated attacks. Attackers can access internal system details including IP addresses, port configurations, and version information through the /invoke/wm.server/connect/ endpoint, which provides comprehensive system introspection capabilities. The ability to bypass access controls through simple navigation patterns and header manipulation creates a significant risk for organizations relying on WebMethods for enterprise integration services. The vulnerability's remote exploitability means that attackers can leverage this flaw from external networks without requiring physical access or prior authentication credentials, making it particularly dangerous in production environments.
Organizations should immediately implement mitigations including strengthening access control mechanisms, implementing proper authentication verification for all application endpoints, and disabling unnecessary directory listing features. Network segmentation and firewall rules should be configured to restrict access to sensitive endpoints, while application-level controls should enforce strict session management and referrer header validation. The vulnerability's disclosure highlights the importance of maintaining vendor communication channels and implementing robust security monitoring to detect unauthorized access attempts. Security teams should also consider implementing web application firewalls and intrusion detection systems to monitor for exploitation attempts targeting this specific flaw. This vulnerability represents a classic case of insecure direct object reference where the application fails to properly validate access to internal resources, creating a pathway for attackers to enumerate system components and potentially escalate privileges within the affected environment.