CVE-2022-38200 - Exposing a Cross-Site Scripting Vulnerability in ArcGIS Server Map Services for Versions 10.8.1 and 10.7.1

Security researchers have discovered a new vulnerability, assigned the name CVE-2022-38200, in the ArcGIS Server software. This vulnerability affects map services running on specific server configurations for versions 10.8.1 and 10.7.1. The complex part of this vulnerability is that it allows attackers to execute arbitrary JavaScript code in the context of the victim's browser using specially crafted web requests.

To provide a comprehensive overview of this issue, let's walk through the vulnerability details, code snippets, original references, and how an attacker might exploit it.

Detailed vulnerability description

ArcGIS Server, developed by Esri, is a popular software used by various industries to create, manage, and share geographic data, maps, and services. The problem lies in some map service configurations of the software, specifically with versions 10.8.1 and 10.7.1. An attacker can exploit this vulnerability by sending specially crafted web requests that allow them to run arbitrary JavaScript code in the victim's browser.

This Cross-site Scripting (XSS) attack can lead to unintended information disclosure, manipulation of displayed web content, or unauthorized actions on behalf of the victim user. To fully understand this vulnerability, let's take a closer look at the code snippets involved and the specific attack vector.

Code snippet

The following code snippet demonstrates how an attacker might craft a malicious web request targeting this vulnerability:

http://vulnerable-arcgis-server/arcgis/rest/services/MapServiceName/MapServer/export?bbox=-130%2c16%2c-65%2c68&size=800%2c400&f=image&format=png&dynamicLayers=[{%22id%22:%220%22%2c%22source%22:{%22type%22:%22mapLayer%22%2c%22mapLayerId%22:}%2c%22drawingInfo%22:{%22renderer%22:{%22type%22:%22simple%22%2c%22symbol%22:{%22type%22:%22text%22%2c%22style%22:%22<script>alert(%27XSS%20Attack%27)</script>%22}}}}]

This web request targets an ArcGIS server running a vulnerable map service configuration, and attempts to export a map image. The attacker provides a malicious payload within the 'symbol' parameter, containing <script> tags enclosing an arbitrary JavaScript code segment (e.g., an alert() statement). When a victim follows this crafted link or is directed to the URL by other means, the malicious JavaScript code is executed in their browser.

Original references and vulnerability resources

You can find the original vulnerability disclosure and resources directly from Esri and the NIST National Vulnerability Database (NVD) through the following links:

* Esri Security Bulletin: https://www.esri.com/en-us/security/bulletin/labs-zdi-can-14613
* NIST CVE-2022-38200: https://nvd.nist.gov/vuln/detail/CVE-2022-38200

To exploit this vulnerability, an attacker needs to

1. Identify a vulnerable ArcGIS Server running versions 10.8.1 or 10.7.1 with susceptible map service configurations.
2. Craft a malicious web request that contains an arbitrary JavaScript payload, as demonstrated in the code snippet provided above.
3. Persuade a victim to visit the crafted URL by using phishing or other social engineering techniques, embedding the link in a webpage or online forum, or any other method that may result in directing the victim's browser towards the malicious website.
4. Upon the victim visiting the malicious URL, the arbitrary JavaScript code will execute in the context of their browser, granting the attacker the ability to perform various malicious activities, such as information theft, web content manipulation, or unauthorized actions.

Protection and mitigation recommendations

Alarmed by this vulnerability? Esri has provided patches for ArcGIS Server versions 10.8.1 and 10.7.1 to address the issue. As a security best practice, you should always keep your software up-to-date with the latest security patches. To mitigate this vulnerability, it is advised to:

* Apply the patches released by Esri for affected versions.
* Restrict access to the vulnerable ArcGIS Server instances to trusted users and networks only. Utilize secure communication protocols like HTTPS/VPN when possible.
* Provide training and awareness for employees to recognize potential phishing or other attacks that might exploit this vulnerability.

By understanding this vulnerability and taking the necessary mitigation steps, you can safeguard your ArcGIS Server instances from potential exploitation and minimize the impact of this XSS vulnerability on your organization.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/31/2022 13:40:00 UTC