Improper authentication in Apache Kafka SCRAM implementation

1) Improper authentication

EUVDB-ID: #VU101829

Risk: Medium

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-56128

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in Salted Challenge Response Authentication Mechanism (SCRAM) implementation. The application does not verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. A remote attacker with access to plain text SCRAM authentication exchange can bypass forge the second once and gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Apache Kafka: 0.10.2.0 - 3.8.0

CPE2.3

• cpe:2.3:a:apache_foundation:apache_kafka:0.10.2.2:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:apache_kafka:0.11.0.3:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:apache_kafka:1.0.2:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:apache_kafka:1.1.1:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:apache_kafka:2.0.1:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:apache_kafka:2.1.1:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:apache_kafka:2.2.2:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:apache_kafka:2.3.1:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:apache_kafka:2.4.1:*:*:*:*:*:*:*
• cpe:2.3:a:apache_foundation:apache_kafka:2.5.1:*:*:*:*:*:*:*

External links

https://lists.apache.org/thread/lgf0cys1zr7hqgkx58vn28p0frsmom2b
https://github.com/advisories/GHSA-p7c9-8xx8-h74f

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.