#VU101829 Improper authentication in Apache Kafka - CVE-2024-56128

Vulnerability identifier: #VU101829

Vulnerability risk: Medium

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-56128

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Kafka
Client/Desktop applications / Messaging software

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in Salted Challenge Response Authentication Mechanism (SCRAM) implementation. The application does not verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. A remote attacker with access to plain text SCRAM authentication exchange can bypass forge the second once and gain unauthorized access to the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Kafka: 0.10.2.0 - 0.10.2.2, 0.11.0.0 - 0.11.0.3, 1.0.0 - 1.0.2, 1.1.0 - 1.1.1, 2.0.0 - 2.0.1, 2.1.0 - 2.1.1, 2.2.0 - 2.2.2, 2.3.0 - 2.3.1, 2.4.0 - 2.4.1, 2.5.0 - 2.5.1, 2.6.0 - 2.6.3, 2.7.0 - 2.7.2, 2.8.0 - 2.8.2, 3.0.0 - 3.0.2, 3.1.0 - 3.1.2, 3.2.0 - 3.2.3, 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.5.0 - 3.5.2, 3.6.0 - 3.6.2, 3.7.0 - 3.7.1, 3.8.0

---

External links
https://lists.apache.org/thread/lgf0cys1zr7hqgkx58vn28p0frsmom2b
https://github.com/advisories/GHSA-p7c9-8xx8-h74f

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.