CVE-2022-22796 – This authentication bypass vulnerability in Sys... (How to Fix)

Q: What is the severity of CVE-2022-22796?

CVE-2022-22796 has a CVSS score of 7.0 (HIGH). This authentication bypass vulnerability in SysAid allows attackers to access the system without valid credentials by navigating through specific JSP pages. Organizations using vulnerable versions of SysAid IT service management software are affected.

📋 TL;DR

This authentication bypass vulnerability in SysAid allows attackers to access the system without valid credentials by navigating through specific JSP pages. Organizations using vulnerable versions of SysAid IT service management software are affected.

💻 Affected Systems

Products:

SysAid IT Service Management

Versions: Versions prior to 22.3.36

Operating Systems: All platforms running SysAid

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations; no special configuration required for exploitation.

📦 What is this software?

Sysaid by Sysaid

View all CVEs affecting Sysaid →

Sysaid by Sysaid

View all CVEs affecting Sysaid →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with administrative privileges, data exfiltration, ransomware deployment, and lateral movement across the network.

🟠

Likely Case

Unauthorized access to sensitive IT service management data, configuration changes, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper network segmentation, monitoring, and authentication controls in place.

🌐 Internet-Facing: HIGH - Directly exploitable via web interface without authentication.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this easily.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple web navigation exploit requiring no special tools or skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 22.3.36 and later

Vendor Advisory: https://www.sysaid.com/blog/entry/sysaid-security-update

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download and install SysAid version 22.3.36 or later. 3. Restart the SysAid service. 4. Verify authentication is working correctly.

🔧 Temporary Workarounds

Block vulnerable endpoints

all

Use web application firewall or reverse proxy to block access to /wmiwizard.jsp, /ConcurrentLogin.jsp, and /home.jsp

# Example for Apache mod_rewrite:
RewriteRule ^/(wmiwizard|ConcurrentLogin|home)\.jsp$ - [F,L]

Restrict network access

linux

Limit SysAid access to trusted IP addresses only

# Example iptables rule:
iptables -A INPUT -p tcp --dport 8080 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate SysAid from critical systems
Enable detailed logging and monitoring for authentication bypass attempts

🔍 How to Verify

Check if Vulnerable:

Attempt to access /wmiwizard.jsp, then /ConcurrentLogin.jsp, click login, and see if redirected to /home.jsp without authentication.

Check Version:

Check SysAid version in administration panel or via /api/v1/system/version endpoint

Verify Fix Applied:

After patching, attempt the same exploit steps; you should be redirected to login page instead of home.jsp.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful access to /home.jsp
Unusual access patterns to authentication bypass endpoints

Network Indicators:

HTTP requests to /wmiwizard.jsp and /ConcurrentLogin.jsp in sequence
Unauthenticated access to /home.jsp

SIEM Query:

source="sysaid" AND (uri="/wmiwizard.jsp" OR uri="/ConcurrentLogin.jsp") AND uri="/home.jsp" AND NOT auth_success="true"

📊 Metadata

CVE ID: CVE-2022-22796

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

CWE: CWE-287

Published: May 12, 2022

Last Updated: November 21, 2024

🔗 References

https://www.gov.il/en/departments/faq/cve_advisories Third Party Advisory
https://www.gov.il/en/departments/faq/cve_advisories Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-22796, you might also want to check these: