Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2024-10039 Bypassing mTLS validation #35217

Closed
stianst opened this issue Nov 22, 2024 · 8 comments · Fixed by #35222
Closed

CVE-2024-10039 Bypassing mTLS validation #35217

stianst opened this issue Nov 22, 2024 · 8 comments · Fixed by #35222
Labels
kind/bug Categorizes a PR related to a bug kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected release/26.0.6 release/26.1.0

Comments

@stianst
Copy link
Contributor

stianst commented Nov 22, 2024

Description

A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.

@stianst stianst added kind/bug Categorizes a PR related to a bug kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected release/26.0.6 labels Nov 22, 2024
@stianst stianst closed this as completed Nov 22, 2024
vmuzikar added a commit to vmuzikar/keycloak that referenced this issue Nov 22, 2024
Closes keycloak#35217

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
stianst pushed a commit that referenced this issue Nov 22, 2024
…35222)

Closes #35217

Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
@jonkoops
Copy link
Contributor

This was an internally reported CVE, so there is no need to follow up with the reporter.

agagancarczyk pushed a commit to agagancarczyk/keycloak that referenced this issue Nov 28, 2024
@psytester
Copy link
Contributor

With the release of 26.0.6 I thought at first: Yeah has my 1,5 year old issue #17059 finally been solved in docs?
No! It is still open. Issue here is a different part. :-(

If this issue gets a CVE at docs with missing security warning only,
why not my topic, where I can send the public certificate of victim in mTLS setup?

@jonkoops
Copy link
Contributor

jonkoops commented Dec 13, 2024

@psytester for reporting security issues please follow the instructions provided on our community page. These sorts of things should not be publicly disclosed.

@psytester
Copy link
Contributor

psytester commented Dec 13, 2024

Sure! It's not that I would have skipped this step.

Last year on 12. Jan 2023 I sent an e-mail to keycloak-security@googlegroups.com with subject X.509 login spoofing possible if Keycloak behind reverse proxy due to standard documentation
I asked again on 25. Jan 2023

and got a reply from Pedro Igor Silva @ Redhat

Am 25.01.2023 um 13:02 schrieb Pedro Igor Silva:
Not sure if we have an issue here but improvements to docs? If understood correctly, that is your understanding too.

The main point here, I think, is that you won't expose the server directly but through a proxy.

We do not provide documentation for the different proxy implementations, and I don't think we can do it. However, we can certainly improve docs as you suggested and be more explicit about using a self-named header to resolve the client certificate and chain.

We do provide a trust store to validate certificates as per https://www.keycloak.org/server/keycloak-truststore. We can definitely improve here because the trust store can also be used to revalidate the certificate chain when executing mTLS authentication. We kinda have it mentioned here [1] but not so clear.

[1] https://www.keycloak.org/docs/latest/server_admin/index.html#_x509

That's why I opened common public visible issue #17059
Not my fault

@shawkins
Copy link
Contributor

shawkins commented Dec 13, 2024 via email

@psytester
Copy link
Contributor

Issue here is somehow related to my, but not 100% same nor gives some clear advice.

Make sure that the proxy overwrites the header that is configured in 'spi-x509cert-lookup-<provider>-ssl-client-cert' option. ---> points indirctly to same topic of injecting a header.

#35861 is about trusted proxy. My setup is with one proxy in front, this is the trusted one and only.

#35858 seems to be a mTLS between proxy and keycloak and not my setup with mTLS between external enduser and proxy.

Did you read my blog post given in #17059 about tech details?

@shawkins
Copy link
Contributor

shawkins commented Dec 13, 2024 via email

psytester added a commit to psytester/keycloak that referenced this issue Dec 13, 2024
…e lookup

Closes keycloak#17059 according to follow-up discussion in keycloak#35217
with additional layer of security in configuration

Signed-off-by: psytester <psytester@quantentunnel.de>
@psytester
Copy link
Contributor

ok
PR #35907 is open, I hope it fits your common wording.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes a PR related to a bug kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected release/26.0.6 release/26.1.0
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants