Bug 1922128 (CVE-2021-20202)

Summary: CVE-2021-20202 keycloak: Temporary Directory Hijacking Vulnerability in Keycloak
Product: [Other] Security Response Reporter: Paramvir jindal <pjindal>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, avibelli, bgeorges, bibryam, chazlett, cmoulliard, dkreling, drieden, etirelli, ganandan, ggaughan, gmalinko, hbraun, ibek, ikanello, janstey, jochrist, jpallich, jstastny, jwon, krathod, kverlaen, lthon, mnovotny, mszynkie, pantinor, pdrozd, peholase, pgallagh, pjindal, rrajasek, rruss, rsynek, sdaley, security-response-team, sthorger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: keycloak 13.0.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this vulnerability is to data confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-16 19:19:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1922126, 1939880    

Description Paramvir jindal 2021-01-29 10:17:07 UTC 
This particular vulnerability exists because on unix-like systems (not including MacOS) the system temporary directory is shared between all users.
As such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user.
 
In the worse case scenario, this can lead to a local privilege escalation vulnerability.

An attacker can create these directories before the java process creates them, but with wider user permissions. Since these directory names are not in any way random, the attacker can simply create these directories ahead of Keycloak. When this happens, the java process doesn't complain that the directories already exist, `mkdir` and `mkdirs` simply return false.

However, assuming that the java process is the first thing to create these directories, `mkdir` and `mkdirs` will only set the directory following the default umask (I believe); by default that means that these directories are created with the permissions `drwxr-xr-x`.
Thus allowing a malicious local user to read the contents of this temporary directory.
 
The safest protections are to switch to the `Files` API that allow you to exclusively set the file permissions when creating the directories. Or use the `Files` API's for creating temporary directories.

https://issues.redhat.com/browse/KEYCLOAK-17000
Comment 4 Paramvir jindal 2021-02-01 08:43:13 UTC 
Acknowledgments:

Name: Jonathan Leitschuh (twitter handler : JLLeitschuh)
Comment 5 Eric Christensen 2021-02-16 20:22:29 UTC 
Mitigation:

By switching to the `Files` API, you are allowed to exclusively set the file permissions when creating directories or creating temporary directories.
Comment 7 Product Security DevOps Team 2021-03-16 19:19:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20202