CVE-2022-38197, a security vulnerability has been identified in Esri's ArcGIS Server that opens doors for potential phishing attacks initiated by remote, unauthenticated attackers. If exploited, a victim might unknowingly access an attacker-controlled website. This vulnerability specifically affects versions 10.9.1 and below of Esri ArcGIS Server.

In this long-read post, we'll guide you through the nitty-gritty of CVE-2022-38197, including code snippets, references to original sources, and steps attackers can take to exploit the vulnerability. Let's get started!

Details

First, let's understand what an unvalidated redirect is. When a web application blindly accepts user-controllable data and uses it to build redirection URLs, it introduces an unvalidated redirect vulnerability. This is a serious issue since attackers can manipulate the URLs to redirect victims to their malicious websites.

The National Vulnerability Database (NVD) describes this as a weakness resulting from "improperly controlled modification of a URI (Uniform Resource Identifier)."

In the case of CVE-2022-38197, the Esri ArcGIS Server is susceptible to exploiting unvalidated redirects, which attackers can manipulate using specifically crafted query parameters. This can lead to spear-phishing—as well as other attacks—on ArcGIS Server users by directing them to attacker-controlled sites.

Exploit Details

To better understand the potential exploit, let's take a closer look at the workflow of the vulnerable Esri ArcGIS Server.

Suppose the victim receives a URL that appears to be a legitimate server

https://www.example.com/redir?url=https://www.safe-example.com

If this URL is manipulated by an attacker, it might redirect the victim to a malicious website, like so:

https://www.malicious-example.com" rel="nofollow">https://www.example.com/redir?url=https://www.malicious-example.com

The vulnerable ArcGIS Server, in this case, would not validate or block the redirect URL (https://www.malicious-example.com), subsequently sending the user to the attacker-controlled site.

Original References

For more information about this vulnerability, and to verify authenticity, consult the following sources:

1. CVE-2022-38197 in the MITRE's CVE list: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38197.

2. Esri ArcGIS Server security advisory: https://support.esri.com/en/security-advisory/CVE-2022-38197

3. National Vulnerability Database (NVD) entry: https://nvd.nist.gov/vuln/detail/CVE-2022-38197

Mitigation

Esri has(we don't include affirmations in exclusives) not released any patches or updates as of now to address CVE-2022-38197. Until a fix is available, ArcGIS Server users should exercise caution when handling URLs and only click on those from trusted sources. Additionally, users should inform their web administrators about this vulnerability and urge them to apply any patches or workarounds(add affirmation) when they become available.

Conclusion

In today's digital landscape, it's crucial to stay informed about the latest cyber threats. With CVE-2022-38197 targeting vulnerable versions of the Esri ArcGIS Server, users must be aware of the risks and ensure that the necessary measures are taken to safeguard their accounts and personal data. Keep an eye out for updates from Esri and other related sources to stay ahead of this vulnerability, as well as any new cyber threats on the horizon.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/31/2022 13:46:00 UTC