CVE-2022-38197 - Unvalidated Redirect in Esri ArcGIS Server (10.9.1 and Below) – Exploit Details & Defense

Esri's ArcGIS Server is a well-known platform used for mapping and geographical information system (GIS) operations. In September 2022, Esri acknowledged a vulnerability (CVE-2022-38197) that might seem minor at first glance, but could be a stepping stone for much bigger problems like phishing. This post gives an in-depth, yet easy-to-follow look at this vulnerability, with real code snippets, a demo exploit, and mitigation tips.

What is CVE-2022-38197?

CVE-2022-38197 is a vulnerability caused by a lack of proper validation for redirect URLs in Esri ArcGIS Server versions 10.9.1 and earlier. In simple words: the server lets users be redirected to a third-party (possibly malicious) website, without checking if that redirection is safe.

This is classed as an Unvalidated Redirect. When exploited, attackers can send links that look like they belong to your trusted ArcGIS Server, but secretly send users to a phishing page or other harmful websites.

Why is This a Problem?

Unvalidated redirects are often overlooked, but can be the *beginning* of a far more dangerous attack. For example:

- Phishing: Users believe they're on a legitimate GIS portal and log in, giving away passwords to attackers.

How Does the Vulnerability Work?

ArcGIS Server includes endpoints that accept a redirect or similar parameter, which tells the server where to send the user after a certain action (such as logging in or following a special link). But, in versions up to 10.9.1, these parameters weren't properly checked.

This means an attacker can embed a link in an email, social media, or even another website, and send users off-site, without the user realizing.

Although the exact list of vulnerable endpoints might vary, the pattern looks like

https://maps.example.com/arcgis/rest/services/?redirect=<destination>;

Or sometimes

https://maps.example.com/arcgis/login?redirect=<destination>;

Here, <destination> is a URL chosen by the attacker.

1. Create a Malicious Page

First, the attacker sets up a phishing website, e.g., http://evil.com/fake-login.

Here’s how a malicious URL may look

https://maps.example.com/arcgis/login?redirect=http://evil.com/fake-login

3. Trap the Victim

The attacker sends the link over email:  
> "Hey, your map access needs verification. Please login here: [link]"

4. Victim Clicks

The victim sees the legitimate ArcGIS domain, clicks, and gets redirected to the attacker's page.

Let’s make a simple cURL command to check if your server is vulnerable

curl -I "https://maps.example.com/arcgis/login?redirect=http://evil.com";

If you see a Location: header in the response pointing to http://evil.com, your server is vulnerable.

Python Example

import requests

url = "https://maps.example.com/arcgis/login?redirect=http://evil.com";
response = requests.get(url, allow_redirects=False)
print(response.headers.get('Location'))

User thinks: “I’m logging into our company GIS.”

- Browser bar shows: maps.example.com > login?redirect=http://phishing.com

References

- NIST CVE Page: CVE-2022-38197
- Esri Security Bulletin (Vulnerability Details)
- OWASP Unvalidated Redirects and Forwards Cheat Sheet

How to Fix & Protect

- Update: The first and best solution is to upgrade your ArcGIS Server to a version beyond 10.9.1. Esri has fixed this in later releases.
- Block Suspicious Redirects: If you can’t upgrade, block or sanitize redirect or url parameters so only allowlisted domains are accepted.
- Warn Your Users: Let your users know to check for suspicious redirects before entering their login details.

Example Server-Side Fix (Python)

from urllib.parse import urlparse

ALLOWED_DOMAINS = ['maps.example.com']

def is_safe_redirect(url):
    netloc = urlparse(url).netloc
    return netloc == '' or netloc in ALLOWED_DOMAINS

# Usage:
if is_safe_redirect(user_redirect_url):
    redirect(user_redirect_url)
else:
    redirect('/error')

Conclusion

CVE-2022-38197 is a classic example of how small validation mistakes can open organizations up to phishing attacks. By understanding and patching these issues, you can hugely reduce risk for your users. If you’re running ArcGIS Server 10.9.1 or below, now’s the time to patch and help your users stay safe!

Stay safe out there, and don’t let redirects send you astray.

*Exclusive to this post. You can share this with your IT and security teams to help them spot and remediate this issue before it’s abused.*

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/31/2022 13:46:00 UTC