OpenAM Liberty IDPP Anonymous SOAP Write Access – Privilege Escalation via Unauthenticated Discovery Store Manipulation

Vulnerability Description: This is an Improper Authorization (CWE-285) flaw in OpenAM's Liberty Web Services SOAP endpoint handler. The Liberty ID-WSF protocol (a legacy federation standard predating SAML 2.0/OAuth/OIDC) exposes a Discovery service endpoint that accepts SOAP requests. The vulnerability exists because the Discovery handlers perform write operations using an internal admin token rather than validating the caller's identity and permissions. Unauthenticated requests bypass the normal LDAP-layer ACLs and identity verification, allowing arbitrary data writes to both user-specific LDAP entries and shared realm-level Discovery branches.

Proof-of-Concept Significance: The PoC demonstrates that no authentication is required to reach the vulnerable endpoint and that write operations succeed with elevated privileges. This is a reliable, unconditional bypass—the attacker need not compromise credentials or exploit a secondary flaw. Preconditions are minimal: (1) OpenAM ≤16.0.6 deployed, (2) Liberty Web Services exposed (default in shipped configuration), (3) network reachability to the SOAP endpoint. The PoC proves the vulnerability is pre-auth and doesn't require downstream Liberty consumers; impact scales if organizations consume Discovery data for routing or security decisions.

Detection Guidance: Monitor for: (1) HTTP/SOAP logs: POST requests to Liberty Discovery SOAP endpoints (e.g., /openam/IdentityManagementService, /openam/DiscoveryService) originating from unexpected or external sources; (2) LDAP audit logs: writes to user entries or o=sun realm branches by the internal admin or system account outside normal provisioning windows; (3) OpenAM logs: SOAP faults or successful SOAP responses with no corresponding authentication records in the same timeframe; (4) Network signatures: SOAP envelopes targeting Liberty namespaces (urn:liberty:is:*, urn:liberty:disco:*) with ResourceID or EncryptedResourceID elements referencing user DNs. Query WAF/proxy logs for POST requests lacking standard OAuth/SAML tokens to these endpoints.

Mitigation Steps: (1) Patch immediately: Upgrade to OpenAM 16.1.1 or later. (2) Disable Legacy Liberty: If not actively using Liberty ID-WSF, disable the Liberty Web Services component entirely via configuration or deployment removal. (3) Network isolation: Restrict SOAP endpoint access via firewall/reverse proxy rules—limit to trusted internal callers only; block external/untrusted sources. (4) Interim workaround (pre-patch): Apply a WAF rule or reverse proxy filter to reject unauthenticated POST requests to Liberty Discovery endpoints; require OAuth/SAML bearer tokens. (5) Audit existing stores: Review LDAP/Discovery entries for unexpected modifications during the vulnerability window; restore clean backups if tampering detected.

Risk Assessment: Likelihood of exploitation in the wild is moderate-to-high. OpenAM is deployed in many enterprise identity infrastructures; Liberty endpoints are exposed by default, and the vulnerability requires no special capabilities—any attacker with network access can exploit it. The attack is silent (no credentials needed), low-effort, and highly reliable. Threat actors targeting identity infrastructure, insider threats, or opportunistic mass-scanning are plausible vectors. However, impact depends on downstream consumption of manipulated Discovery records. Organizations not using Liberty for active routing or authentication decisions face lower practical risk, though data integrity is still compromised. Organizations that consume Liberty metadata for service discovery or security policies face significant risk of service disruption or authorization bypass.