#VU77752 Improper Certificate Validation in Keycloak - CVE-2023-1664


| Updated: 2023-06-28

Vulnerability identifier: #VU77752

Vulnerability risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-1664

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Keycloak
Server applications / Directory software, identity management

Vendor: Keycloak

Description

The vulnerability allows a remote attacker to bypass client certificate validation.

The vulnerability exists due to improper certificate validation when using X509 Client Certificate Authenticatior with the option "Revalidate Client Certificate". A remote attacker with ability to directly connect to Keycloak (e.g. not via the reverse proxy) can bypass certificate validation and gain unauthorized access to the application.

Successful exploitation of the vulnerability requires that there's a configuration error in KC_SPI_TRUSTSTORE_FILE_FILE, which results in accepting any certificate with the logging information of "Cannot validate client certificate trust: Truststore not available".

Mitigation
Install update from vendor's website.

Vulnerable software versions

Keycloak: 10.0.0 - 19.0.3, 20.0.0 - 21.1.1


External links
https://bugzilla.redhat.com/show_bug.cgi?id=2182196
https://github.com/keycloak/keycloak/security/advisories/GHSA-5cc8-pgp5-7mpm


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability