2071036 – (CVE-2022-1245) CVE-2022-1245 keycloak: Privilege escalation vulnerability on Token Exchange

Bug 2071036 (CVE-2022-1245) - CVE-2022-1245 keycloak: Privilege escalation vulnerability on Token Exchange

Summary: CVE-2022-1245 keycloak: Privilege escalation vulnerability on Token Exchange

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-1245
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2071057 2072214
TreeView+	depends on / blocked

Reported:	2022-04-01 16:23 UTC by mulliken
Modified:	2023-07-11 10:51 UTC (History)
CC List:	10 users (show)
Fixed In Version:	keycloak 18.0.0
Doc Type:	If docs needed, set a value
Doc Text:	A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services.
Clone Of:
Environment:
Last Closed:	2022-05-04 19:15:26 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:1709	None	None	None	2022-05-04 13:06:58 UTC
Red Hat Product Errata	RHSA-2022:1711	None	None	None	2022-05-04 13:25:48 UTC
Red Hat Product Errata	RHSA-2022:1712	None	None	None	2022-05-04 13:25:11 UTC
Red Hat Product Errata	RHSA-2022:1713	None	None	None	2022-05-04 14:31:21 UTC

Description mulliken 2022-04-01 16:23:27 UTC

Keycloak supports OAuth2 Token Exchange an OAuth2 specification that allows clients to exchange tokens for delegation and impersonation purposes.

In Keycloak, the support for token exchange is marked as a technology preview feature and disabled by default.

When the feature is enabled, any client application holding a valid access token is able to exchange tokens for any other target client by authenticating as the target client. This problem is especially problematic when the credentials used to authenticate to the token endpoint is for a public client because the authentication for these clients is solely based on the client_id (public information).

The vulnerability found allows a malicious client to exchange tokens for another client and then use the new token to access services that otherwise it should not have access.

The expected behavior should be that clients (regardless of public or confidential) should only be able to exchange tokens for themselves, and using a subject_token issued to another client should be prohibited if there is no permission granted.

To reproduce the issue:

    1. The preview feature token-exchange must be enabled. Given 1 user, 1
       public or secret client (client-third-party) in which an attacker has
       access to, and 1 public client (client-secure) in the same realm.
    2. Assume client-third-party is a restricted client and has no realm or
       resource access. The public client, client-secure, has access to an
       API secured with a resource access role.
    3. Authenticate as a user with the client-third-party client and store
       the user's access token
    4. Use the access token in a token exchange request. Specify
       client-secure as client_id, the user's access token as subject_token
       and do not add an audience parameter.
    5. The result of the token exchange will be an access token, and
       potentially a refresh token, with all access which only the
       client-secure should have access to.

Notice that in order to reproduce this, you do not have to configure
any permissions for the client. Neither do you have to enable the
admin fine grained permissions feature.

Comment 3 errata-xmlrpc 2022-05-04 13:06:55 UTC

This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2022:1709 https://access.redhat.com/errata/RHSA-2022:1709

Comment 4 errata-xmlrpc 2022-05-04 13:25:08 UTC

This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 8

Via RHSA-2022:1712 https://access.redhat.com/errata/RHSA-2022:1712

Comment 5 errata-xmlrpc 2022-05-04 13:25:46 UTC

This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 7

Via RHSA-2022:1711 https://access.redhat.com/errata/RHSA-2022:1711

Comment 6 errata-xmlrpc 2022-05-04 14:31:18 UTC

This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:1713 https://access.redhat.com/errata/RHSA-2022:1713

Comment 7 Product Security DevOps Team 2022-05-04 19:15:24 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1245

Note You need to log in before you can comment on or make changes to this bug.