CVE-2023-6787: Keycloak Session Hijacking Exploit due to Flaw in Re-Authentication Mechanism
A recently discovered vulnerability, assigned CVE-2023-6787, affects Keycloak, a popular open-source identity and access management solution. This security flaw has significant implications, as it allows an attacker to hijack an active Keycloak session by exploiting a weakness in the re-authentication mechanism within the org.keycloak.authentication package.
In this post, we'll delve into the details of this exploit, discuss what systems are affected, and provide the necessary information to mitigate the risk posed by this vulnerability. We'll also explore some code snippets and provide links to the original references for a more in-depth understanding of the issue.
Vulnerability Details
The vulnerability stems from an error in Keycloak's re-authentication mechanism. When a user attempts to access a secured resource, the application may require the user to re-authenticate using the query parameter prompt=login. This can be achieved by appending the following query parameter to a Keycloak URL:
?prompt=login
If a user cancels the re-authentication prompt by selecting "Restart login", a new session is created with a different Subject Identifier (SUB). However, this new session has the same Session Identifier (SID) as the previous session, allowing an attacker to take over the user's account.
The following code snippet demonstrates the affected functionality in the org.keycloak.authentication package:
public class ReAuthenticationMechanism {
public AuthenticationSessionModel createAuthenticationSession(ClientModel client, String prompt) {
if (prompt != null && prompt.equals("login")) {
// Create new session with different SUB, but same SID as the previous one
AuthenticationSessionModel newSession = session.sessions().createAuthenticationSession(realm, client);
newSession.setAuthMethod(AuthenticationSessionModel.AuthMethod.OIDC);
newSession.setAction(AuthenticationSessionModel.Action.AUTHENTICATE);
return newSession;
} else {
// Perform normal action
}
}
}
Affected Systems
Keycloak installations that utilize the org.keycloak.authentication package are affected by this vulnerability. Note that the flaw may exist in other Keycloak modules or third-party libraries as well, depending on how they handle the re-authentication.
To protect against this vulnerability, Keycloak administrators can apply the following steps
1. Validate the data from prompt=login requests and ensure that only trusted sources can invoke re-authentication. This can be implemented using Web Application Firewalls (WAFs) or other security tools.
2. Implement proper session management by following best practices, such as regularly rotating session IDs, using secure cookies, and enforcing strong authentication mechanisms.
3. Keep the Keycloak software up-to-date and apply the necessary patches and fixes provided by the Keycloak development team.
For more details about this vulnerability, the following resources are available
1. Keycloak GitHub Repository
2. Keycloak Official Documentation
3. Keycloak Security Advisories
Conclusion
CVE-2023-6787 exposes a serious security flaw in Keycloak's re-authentication mechanism. By understanding and addressing this issue, organizations can better protect their users and systems from potential session hijacking and account takeover attacks. Keep your Keycloak instances updated and follow the recommended best practices to ensure a secure and robust identity and access management solution.
Timeline
Published on: 04/25/2024 16:15:10 UTC
Last modified on: 04/25/2024 17:24:59 UTC