CVE-2024-4540: Information Disclosure Vulnerability in Keycloak OAuth 2. Pushed Authorization Requests (PAR)

In this extensive post, we will discuss a vulnerability that was recently discovered in Keycloak, a popular open-source Identity and Access Management solution. The vulnerability, designated as CVE-2024-4540, is related to an information disclosure issue in the OAuth 2. Pushed Authorization Requests (PAR) implementation. We will explain the technical details of the vulnerability, provide code snippets to demonstrate the issue, link to the original references, and discuss possible exploit scenarios.

Background

Keycloak, an open-source project by Red Hat, is widely used for modern applications and services. It provides authentication and authorization services to secure applications, APIs, services, and other resources. Keycloak supports standard authentication and authorization protocols such as OAuth 2., OpenID Connect, and SAML.

Description of the Vulnerability

The vulnerability (CVE-2024-4540) exists in Keycloak’s implementation of the OAuth 2. Pushed Authorization Requests (PAR) feature. The PAR feature allows clients to request authorization from the authorization server securely. The Client-provided parameters are sent in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request, possibly leading to an information disclosure vulnerability. Unauthorized users may be able to intercept these cookies, which may contain sensitive information that should be protected.

The following code snippet demonstrates an example of a vulnerable request_uri authorization request:

POST /auth/realms/demo-realm/protocol/openid-connect/pushed_authorization_request
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3FMzo3RmpmcDBaQnIxS3REUmJuZ

request_uri=https%3A%2F%2Fclient.example.com%2Fcb&grant_type=authorization_code&client_id=Science%20Grotto&client_secret=YHVhbmJPgjiBdlkMPLOzj&scope=example-scope&response_type=code

In this example, the vulnerable parameters client_id, client_secret, and others are sent in plain text and may be intercepted by unauthorized parties.

The vulnerability was originally reported in the Keycloak issue tracker

- KEYCLOAK-19030: Client provided parameters included in plain text in the KC_RESTART cookie

Exploit Details

An attacker can exploit this vulnerability by intercepting the HTTP communication between the client and the authorization server. The attacker can use various methods, such as man-in-the-middle attacks or packet sniffing, to capture the sensitive information transmitted in plain text.

When successful, the attacker can gain access to sensitive client information, such as the client_id and client_secret, which can potentially lead to unauthorized access to resources protected by Keycloak.

To mitigate this vulnerability, it is essential to update Keycloak to the latest version, which contains a fix for this issue. You can download the latest release of Keycloak from the official website:

- Keycloak Downloads

Additionally, it is paramount to ensure that all communication between clients and the authorization server is encrypted using proper TLS configuration to prevent unauthorized interception of sensitive information.

Conclusion

CVE-2024-4540 is a critical information disclosure vulnerability in Keycloak’s OAuth 2. Pushed Authorization Requests (PAR) implementation. Updating to the latest version of Keycloak and ensuring proper configuration and encryption of communications can mitigate this vulnerability. Always staying informed about the latest security vulnerabilities and updates is an essential aspect of securing applications and services that depend on Keycloak for authentication and authorization.

Timeline

Published on: 06/03/2024 16:15:08 UTC
Last modified on: 08/02/2024 16:13:00 UTC