Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected by an issue where an attacker on the local network can authenticate as any user or client that leverages mTLS as the authentication mechanism. Trusted proxies introduced in Keycloak 26 can mitigate this to some extent by only accepting certificates from proxy headers if the request is coming from the IP address of the proxy. However, this is a very weak form of authentication as IP addresses can in many cases be spoofed. The attacker would need to have access to the local network, and in addition gain access to the corresponding public certificates, which in many cases is not the hardest thing to do, especially considering that we are assuming an insider, or an attacker that has gained access to the local network. Additionally, Keycloak can further be configured to not only obtain certificates through HTTP headers, but also to not validate the certificates. If this option is enabled for a deployment the attacker does not have to obtain the actual public certificate, and can simply generate a random one with for example openssl with whatever subject they want.
This issue has been addressed in the following products: Red Hat build of Keycloak 24 Via RHSA-2024:10175 https://access.redhat.com/errata/RHSA-2024:10175
This issue has been addressed in the following products: Red Hat build of Keycloak 24.0.9 Via RHSA-2024:10176 https://access.redhat.com/errata/RHSA-2024:10176
This issue has been addressed in the following products: Red Hat build of Keycloak 26.0 Via RHSA-2024:10177 https://access.redhat.com/errata/RHSA-2024:10177
This issue has been addressed in the following products: Red Hat build of Keycloak 26.0.6 Via RHSA-2024:10178 https://access.redhat.com/errata/RHSA-2024:10178
commit: https://github.com/keycloak/keycloak/pull/35222/files