Bug 2292200 (CVE-2024-5967)

Summary: CVE-2024-5967 keycloak: Leak of configured LDAP bind credentials through the Keycloak admin console
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: boliveir, chazlett, drichtar, jkoops, mulliken, pdrozd, peholase, pjindal, pskopek, rmartinc, rowaters, sthorger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL  independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker. As a consequence, an attacker who has compromised the admin console or compromised a user with sufficient privileges can leak domain credentials and attack the domain.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2292199    

Description Patrick Del Bello 2024-06-13 12:37:29 UTC 
The LDAP testing endpoint allows to change the Connection URL  independently of and without having to re-enter the currently configured LDAP bind credentials. An attacker with admin access (permission manage-realm) can change the LDAP host URL ("Connection URL") to a machine they control. The Keycloak server will connect to the attacker's host and try to authenticate with the configured credentials, thus leaking them to the attacker.
As a consequence, an attacker who has compromised the admin console/compromised a user with sufficient privileges can leak domain credentials and can now attack the domain.

This requires: Access to the REST endpoint and the admin user needed with manage-realm permission (full access to LDAP configuration and all identity providers).

Version affected: <= 24.0.5
Comment 3 errata-xmlrpc 2024-09-09 15:58:19 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2024:6499 https://access.redhat.com/errata/RHSA-2024:6499
Comment 4 errata-xmlrpc 2024-09-09 15:58:41 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2024:6493 https://access.redhat.com/errata/RHSA-2024:6493
Comment 5 errata-xmlrpc 2024-09-09 16:00:14 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2024:6494 https://access.redhat.com/errata/RHSA-2024:6494
Comment 6 errata-xmlrpc 2024-09-09 16:02:02 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:6501 https://access.redhat.com/errata/RHSA-2024:6501
Comment 7 errata-xmlrpc 2024-09-09 16:06:00 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:6500 https://access.redhat.com/errata/RHSA-2024:6500
Comment 8 errata-xmlrpc 2024-09-09 16:07:48 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2024:6495 https://access.redhat.com/errata/RHSA-2024:6495
Comment 9 errata-xmlrpc 2024-09-09 16:12:24 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:6497 https://access.redhat.com/errata/RHSA-2024:6497