SB2023062807 - Multiple vulnerabilities in Keycloak
Published: June 28, 2023 Updated: June 28, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Improper Certificate Validation (CVE-ID: CVE-2023-1664)
The vulnerability allows a remote attacker to bypass client certificate validation.
The vulnerability exists due to improper certificate validation when using X509 Client Certificate Authenticatior with the option "Revalidate Client Certificate". A remote attacker with ability to directly connect to Keycloak (e.g. not via the reverse proxy) can bypass certificate validation and gain unauthorized access to the application.
Successful exploitation of the vulnerability requires that there's a configuration error in KC_SPI_TRUSTSTORE_FILE_FILE, which results in accepting any certificate with the logging information of "Cannot validate client certificate trust: Truststore not available".
2) Authentication Bypass by Spoofing (CVE-ID: CVE-2023-2585)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error within the Keycloak Device Authorisation Grant. A remote attacker can spoof parts of the device flow and use a device_code to retrieve an access token for other OAuth clients.
3) Cross-site scripting (CVE-ID: CVE-2022-4361)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists in the SAML or OIDC providers in Keycloak due to insufficient sanitization of user-supplied data passed via the AssertionConsumerServiceURL value or the redirect_uri. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Improper certificate validation (CVE-ID: CVE-2023-2422)
The vulnerability allows a remote user to bypass authorization process.
The vulnerability exists due to improper certificate validation chain when a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients. A remote user that possesses a proper certificate can authorize itself as any other client and therefore access data that belongs to other clients.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2182196
- https://github.com/keycloak/keycloak/security/advisories/GHSA-5cc8-pgp5-7mpm
- https://github.com/keycloak/keycloak/security/advisories/GHSA-f5h4-wmp5-xhg6
- https://access.redhat.com/errata/RHSA-2023:3892
- https://github.com/keycloak/keycloak/security/advisories/GHSA-3p62-6fjh-3p5h
- https://github.com/keycloak/keycloak/security/advisories/GHSA-3qh5-qqj2-c78f