Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-3743

Vulnerability in brute force detection settings [GHI#30939]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      authentication

      Describe the bug

      The following is a suspected vulnerability in the brute force detection settings in Keycloak version 24.0.1

      Setting the brute force mode to “lockout temporarily,” and then setting the “wait increment” and “max wait” to too high of a value breaks the locking out functionality.

      If you configure brute force detection with the following settings, the locking out of an account will not work.

      Brute force mode:    Lockout temporarily
      Max login failures: 3
      Wait increment: 21900 days
      Max wait:          21900 days
      Failure reset time:    15 minutes

      Quick login check milliseconds:     1000
      Minimum quick login wait:          1 minute

      After 3 failed attempts of logging in, the user should be locked out, though by using the above settings prevents the locking out of the account.

      I suspect this may be an integer overflow issue. If days are converted to seconds, at 21900 days, the total seconds approaches the 32 bit signed integer max.

      Version

      24.0.1

      Regression

      [ ] The issue is a regression

      Expected behavior

      For the frontend to not allow for such a high value to be entered into the “wait increment” and “max wait”.
      For the backend to protect from such a high value to be set.

      Actual behavior

      If you configure brute force detection with the following settings, the locking out of an account will not work.

      Brute force mode:    Lockout temporarily
      Max login failures: 3
      Wait increment: 21900 days
      Max wait:          21900 days
      Failure reset time:    15 minutes

      Quick login check milliseconds:     1000
      Minimum quick login wait:          1 minute

      After 3 failed attempts of logging in, the user should be locked out, though by using the above settings prevents the locking out of the account.

      How to Reproduce?

      If you configure brute force detection with the following settings, the locking out of an account will not work.

      Brute force mode:    Lockout temporarily
      Max login failures: 3
      Wait increment: 21900 days
      Max wait:          21900 days
      Failure reset time:    15 minutes

      Quick login check milliseconds:     1000
      Minimum quick login wait:          1 minute

      After 3 failed attempts of logging in, the user should be locked out, though by using the above settings prevents the locking out of the account.

      Anything else?

      No response

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core Clients
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: