Bug 2319217 (CVE-2024-10039)

Summary: CVE-2024-10039 keycloak-core: mTLS passthrough
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anstephe, aschwart, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, chazlett, clement.escoffier, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, dsimansk, eric.wittmann, fmongiar, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jkoops, jmartisk, jnethert, jrokos, kingland, kverlaen, lthon, manderse, matzew, mnovotny, mosmerov, mposolda, msochure, msvehla, nipatil, nwallace, olubyans, pantinor, parichar, pdelbell, pdrozd, peholase, pesilva, pgallagh, pierdipi, pjindal, pmackay, probinso, pskopek, rguimara, rhuss, rkieley, rkubis, rmartinc, rowaters, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdouglas, security-response-team, smaestri, ssilvert, sthorger, tasato, tom.jenkinson, tqvarnst, vmuzikar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2024-11-21   

Description OSIDB Bzimport 2024-10-16 15:44:58 UTC 
Deployments of Keycloak with a reverse proxy not using pass-through
termination of TLS, with mTLS enabled, are affected by an issue where an
attacker on the local network can authenticate as any user or client that
leverages mTLS as the authentication mechanism.

Trusted proxies introduced in Keycloak 26 can mitigate this to some extent
by only accepting certificates from proxy headers if the request is coming
from the IP address of the proxy. However, this is a very weak form of authentication as IP addresses can in many cases be spoofed.

The attacker would need to have access to the local network, and in
addition gain access to the corresponding public certificates, which in
many cases is not the hardest thing to do, especially considering that we
are assuming an insider, or an attacker that has gained access to the local
network.

Additionally, Keycloak can further be configured to not only obtain
certificates through HTTP headers, but also to not validate the
certificates. If this option is enabled for a deployment the attacker does
not have to obtain the actual public certificate, and can simply generate a
random one with for example openssl with whatever subject they want.
Comment 2 errata-xmlrpc 2024-11-21 19:23:31 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 24

Via RHSA-2024:10175 https://access.redhat.com/errata/RHSA-2024:10175
Comment 3 errata-xmlrpc 2024-11-21 19:23:50 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 24.0.9

Via RHSA-2024:10176 https://access.redhat.com/errata/RHSA-2024:10176
Comment 4 errata-xmlrpc 2024-11-21 19:24:37 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 26.0

Via RHSA-2024:10177 https://access.redhat.com/errata/RHSA-2024:10177
Comment 5 errata-xmlrpc 2024-11-21 19:24:48 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 26.0.6

Via RHSA-2024:10178 https://access.redhat.com/errata/RHSA-2024:10178
Comment 6 Chess Hazlett 2024-11-27 21:00:09 UTC 
commit: https://github.com/keycloak/keycloak/pull/35222/files