Bug 2295777 (CVE-2024-6508)

Summary: CVE-2024-6508 openshift-console: OAuth2 insufficient state parameter entropy
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: asdas, bmontgom, dfreiber, dpaolell, drow, eparis, jburrell, jdelft, jupierce, lgarciaa, mbiarnes, nstielau, rkshirsa, security-response-team, sidsharm, sponnaga, talessio, vkumar, vlaad, ximhan, yuxzhu
Target Milestone: ---Keywords: Security
Target Release: ---Flags: rkshirsa: needinfo? (ybuenos)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim’s current application account using a third-party account without any restrictions.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description ybuenos 2024-07-04 11:31:01 UTC 
*Problem Summary*:
WebInspect has identified that the application under test using the OAuth2 protocol is using an insufficient entropy in the state parameter value in the workflow. This introduces a CSRF vulnerability in the context of the 
OAuth process, and gives the ability to login to the victim’s current application account using a third-party account without any restrictions.
In authorization code type and implicit grant type, the OAuth protocol is vulnerable to a CSRF attack if the state parameter is used inefficiently.
An attacker can perform a normal OAuth2 process and get the redirection URL that contains the authorization code of the third-party. The attacker can bind his account to victim’s account for the vulnerable application by enticing a victim to access this URL.
If the state parameter is set in the redirection URL but without sufficient entropy, then an attacker can predict the user’s state parameter and forge reliable a redirection URL to induce the victim to access and implement CSRF attack.
In this case WebInspect detetced that the session is using OAuth2 and insert an state parameter in the query variables: 5189522f as CSRF token. However, the WebInspect has found that the value of state parameter maybe guessable to be predicted. The attacker could predict the next token of the user and then get it exploited.

*Steps to reproduce*:

   - Initiate the OAuth2 binding process
   - Extract the state parameter value in the redirection URL to the authorization server
   - Repeat the previous steps again and get a new state parameter value 
   - Try to analyze the order between two state parameters and predict the victim’s state parameter value
   - Finished logging into authorization server
   - The authorization server attempts to redirect the user to the client application, do not follow the redirection
   - Modify the state parameter value with a predicted value to which the victim might be assigned.
   - Send the redirection URL with the predicted state parameter value to the victim who is now in login status of the client application
   - Note if the victim’s client application account is bound to the attacker’s third-party account.


*Implication*:
The attacker can gain access to other user’s accounts and access sensitive information of the profile, or perform arbitrary actions using the victim’s account.

*Suggestions*:
Improve the entropy of state parameter value.
Comment 3 errata-xmlrpc 2024-10-16 02:40:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:7922 https://access.redhat.com/errata/RHSA-2024:7922
Comment 4 errata-xmlrpc 2024-10-30 01:13:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:8415 https://access.redhat.com/errata/RHSA-2024:8415
Comment 5 errata-xmlrpc 2024-11-13 18:34:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:8991 https://access.redhat.com/errata/RHSA-2024:8991
Comment 6 errata-xmlrpc 2024-11-20 04:18:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:9620 https://access.redhat.com/errata/RHSA-2024:9620
Comment 7 errata-xmlrpc 2024-12-12 02:08:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:10813 https://access.redhat.com/errata/RHSA-2024:10813
Comment 8 errata-xmlrpc 2025-01-09 02:15:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2025:0014 https://access.redhat.com/errata/RHSA-2025:0014