Bug 2301876 (CVE-2024-7318)

Summary: CVE-2024-7318 keycloak-core: One Time Passcode (OTP) is valid longer than expiration timeSeverity
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: CLOSED COMPLETED QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aschwart, bihu, boliveir, chazlett, dpalmer, drichtar, jkoops, mposolda, mulliken, pdrozd, peholase, pjindal, pskopek, rmartinc, rowaters, security-response-team, ssilvert, sthorger, vmuzikar, wfink, zmiele
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2024-10-31 13:24:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2024-09-09   

Description Patrick Del Bello 2024-07-31 03:08:38 UTC 
Expired OTP codes are still usable when using FreeOTP when OTP token period is set to 30 seconds (default). It was found that instead of
expiring and being unusable around 30 seconds in, the tokens actually are valid for an additional 30 seconds, to total 1 minute. In this case, this occurs with default OTP Policy settings of:
OTP Type: Time-based
OTP Hash Algorithm: SHA1
Number of digits: 6
Look around window: 1
OTP Token period: 30 seconds
Reusable Token: off
Comment 1 Bruno Oliveira 2024-07-31 14:52:14 UTC 
Please add the steps to reproduce.
Comment 2 errata-xmlrpc 2024-09-09 16:05:29 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 24

Via RHSA-2024:6502 https://access.redhat.com/errata/RHSA-2024:6502
Comment 3 errata-xmlrpc 2024-09-09 16:05:50 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:6503 https://access.redhat.com/errata/RHSA-2024:6503
Comment 5 Red Hat Bugzilla 2025-03-01 04:25:03 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days