CVE-2022-34270
📋 TL;DR
In RWS WorldServer versions before 11.7.3, regular authenticated users can create new user accounts with Administrator privileges through the UserWSUserManager component. This privilege escalation vulnerability affects all organizations using vulnerable WorldServer instances where regular users have access to user management functions.
💻 Affected Systems
- RWS WorldServer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with regular user access creates administrator accounts, gains full system control, accesses sensitive translation/localization data, modifies system configurations, and potentially deploys additional malware.
Likely Case
Malicious insider or compromised regular user account creates administrator accounts to bypass security controls, access restricted data, and maintain persistent access to the system.
If Mitigated
With proper access controls and monitoring, unauthorized privilege escalation attempts are detected and blocked before successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated regular user access. The vulnerability is straightforward to exploit once an attacker has valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.7.3 or later
Vendor Advisory: https://www.rws.com/localization/products/trados-enterprise/worldserver/
Restart Required: Yes
Instructions:
1. Download WorldServer 11.7.3 or later from RWS support portal. 2. Backup current installation and database. 3. Stop WorldServer services. 4. Apply the update following RWS upgrade documentation. 5. Restart services and verify functionality.
🔧 Temporary Workarounds
Restrict User Management Access
allTemporarily remove regular user access to user management functions until patching can be completed.
Enhanced User Creation Monitoring
allImplement real-time alerts for any user creation or privilege escalation attempts.
🧯 If You Can't Patch
- Implement strict access controls to limit which users can access user management interfaces
- Enable detailed auditing of all user creation and privilege modification events with immediate alerting
🔍 How to Verify
Check if Vulnerable:
Check WorldServer version via admin interface or configuration files. Versions below 11.7.3 are vulnerable.Check Version:
Check WorldServer web interface admin panel or review installation directory version filesVerify Fix Applied:
After updating, verify version is 11.7.3 or higher and test that regular users cannot create administrator accounts.📡 Detection & Monitoring
Log Indicators:
- Unusual user creation events
- Regular users attempting to assign administrator roles
- Multiple failed privilege escalation attempts
Network Indicators:
- Unusual API calls to user management endpoints from non-admin accounts
SIEM Query:
source="worldserver" AND (event_type="user_creation" OR event_type="role_assignment") AND user_role="regular" AND target_role="administrator"