Bug 2272339 (CVE-2024-5037) - CVE-2024-5037 openshift/telemeter: iss check during JWT authentication can be bypassed
Summary: CVE-2024-5037 openshift/telemeter: iss check during JWT authentication can be...
Keywords:
Status: NEW
Alias: CVE-2024-5037
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2272338
TreeView+ depends on / blocked
 
Reported: 2024-03-31 00:33 UTC by Robb Gatica
Modified: 2024-06-05 17:52 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue ("iss") check during JSON web token (JWT) authentication.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Robb Gatica 2024-03-31 00:33:22 UTC 
Description:
When verifying the iss field, telemeter uses `strings.Split(tokenData, ".")` to extract the payload, which means that the user should submit a Compact type JWS Token. However, go-jose's `jwt.ParseSigned(tokenData)` also supports authenticating JWS Token of JSON type. That means if the attacker submits a Token like:

```
{
"fakeiss":".eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIn0.",
"protected":"",
"header":"",
"payload":"",
"signature":""
}
```

The attacker can forge a token issued by Google to pass the verification(for example). If two server use the same pair of key, the attacker can use the token from the first server to deceive the second server, and cause the privilege escape. The original reporter has raised this issue to Kubernetes, and they have fixed this problem: https://github.com/kubernetes/kubernetes/pull/123540

---

https://github.com/openshift/telemeter
Version: 4.17
Related Code: https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78
Note You need to log in before you can comment on or make changes to this bug.