CVE-2022-23610 is a vulnerability in wire-server, the backend service for Wire, an open-source secure messaging platform. The flaw exists in versions of wire-server prior to the 2022-01-27 release (specifically versions before 2.123.0). The vulnerability arises from improper verification of cryptographic signatures (CWE-347) in the handling of SAML Single Sign-On (SSO) authentication. An upstream library responsible for parsing, rendering, signing, and validating SAML XML data incorrectly trusts public keys provided by an attacker within the signature, allowing crafted DSA signatures to bypass SAML SSO authentication. This flaw enables an attacker to impersonate any Wire user within a team that uses SAML SSO. Furthermore, in teams that have SAML enabled but lack System for Cross-domain Identity Management (SCIM), attackers can create new user accounts with forged SAML credentials by supplying new SAML NameIDs. Exploitation requires the attacker to know three pieces of information: the SSO login code (distributed to all team members and visible in the Team Management app), the SAML EntityID (a URL identifying the Identity Provider, also visible in Team Management), and the SAML NameID of the target user (usually an email or nickname). The vulnerability has been fixed in wire-server version 2022-01-27 and is already deployed on all Wire managed services. However, on-premise deployments must manually update to this version to mitigate the risk. No known workarounds exist. The vulnerability does not appear to have been exploited in the wild yet. This issue is critical because it undermines the integrity of the authentication mechanism, allowing unauthorized access and user impersonation within affected Wire teams.

For European organizations using Wire with SAML SSO, this vulnerability poses a significant risk to confidentiality and integrity. An attacker who gains access to the required SSO login code and user identifiers can impersonate any user, potentially accessing sensitive communications, confidential business information, and internal collaboration data. In organizations without SCIM enabled, attackers can create new user accounts, further expanding their foothold and persistence within the environment. This could lead to insider threat scenarios, data leakage, and unauthorized command or control over organizational communications. The impact is particularly severe for sectors relying on Wire for secure messaging, such as government agencies, financial institutions, legal firms, and critical infrastructure operators. The ability to bypass SAML SSO undermines trust in the authentication process and could facilitate lateral movement within networks. Given that Wire is used for secure and private communication, exploitation could also compromise privacy obligations under GDPR and other European data protection regulations, leading to regulatory and reputational consequences.

European organizations should immediately verify their wire-server version and upgrade any on-premise instances to version 2022-01-27 or later to ensure the vulnerability is patched. Since no workarounds exist, patching is the primary mitigation. Additionally, organizations should: 1) Audit and restrict access to the SSO login code and ensure it is distributed securely and only to authorized personnel. 2) Review and tighten access controls around the Team Management app to prevent unauthorized visibility of SAML EntityIDs and NameIDs. 3) Enable SCIM provisioning if not already in use, as it limits the ability of attackers to create new accounts with fake SAML credentials. 4) Monitor authentication logs for unusual login patterns or creation of new users that could indicate exploitation attempts. 5) Conduct security awareness training for administrators managing Wire teams to recognize and report suspicious activities. 6) Consider implementing additional multi-factor authentication (MFA) layers beyond SAML SSO to reduce risk from compromised credentials. 7) Regularly review and update identity provider configurations to ensure robust cryptographic validation and signature verification. These steps, combined with prompt patching, will reduce the risk of exploitation and limit potential damage.