CVE-2022-23720
📋 TL;DR
PingID Windows Login versions before 2.8 fail to warn or stop when configured with full-permission API credentials meant for administrative systems like PingFederate. This allows attackers who discover these credentials on user endpoints to perform administrative actions against PingID APIs. Organizations using PingID Windows Login prior to version 2.8 are affected.
💻 Affected Systems
- PingID Windows Login
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative control over PingID systems, allowing them to modify configurations, create/delete users, bypass MFA, or disable security controls across the entire PingID deployment.
Likely Case
Attackers with access to user endpoints discover credentials and use them to perform limited administrative actions, potentially bypassing MFA for targeted accounts or extracting sensitive user data.
If Mitigated
Proper credential management prevents exposure, limiting impact to unauthorized access attempts that fail due to credential validation.
🎯 Exploit Status
Exploitation requires access to the misconfigured properties file on a user endpoint, then using the credentials against PingID APIs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8 and later
Vendor Advisory: https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html
Restart Required: Yes
Instructions:
1. Download PingID Windows Login 2.8 or later from Ping Identity. 2. Install the update on all affected Windows endpoints. 3. Restart systems to apply changes. 4. Verify configuration uses appropriate credentials.
🔧 Temporary Workarounds
Remove Administrative Credentials
windowsReplace full-permission PingID properties files with user-level credentials on all endpoints.
Manually edit or replace the PingID properties configuration file with appropriate credentials
Restrict File Access
windowsSet strict file permissions on PingID properties files to prevent unauthorized access.
icacls "C:\Path\To\PingID\properties" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" /deny "Users:(OI)(CI)(R,W)"
🧯 If You Can't Patch
- Audit all PingID Windows Login endpoints to ensure no administrative credentials are present in properties files.
- Implement network segmentation to restrict PingID API access from user endpoints to only necessary functions.
🔍 How to Verify
Check if Vulnerable:
Check PingID Windows Login version via Control Panel > Programs and verify it's below 2.8, then inspect properties files for administrative credentials.Check Version:
wmic product where name="PingID Windows Login" get versionVerify Fix Applied:
Confirm version is 2.8 or higher and properties files contain only user-level credentials.📡 Detection & Monitoring
Log Indicators:
- Unusual administrative API calls from non-privileged endpoints in PingID logs
- Failed authentication attempts followed by successful administrative actions
Network Indicators:
- API requests to PingID administrative endpoints from user workstations
- Unusual traffic patterns to PingID API servers
SIEM Query:
source="pingid" AND (action="admin" OR user_role="administrator") AND src_ip IN [user_subnet]