-
Vulnerability
-
Resolution: Done
-
Major
-
RH-SSO-7.6.9
-
False
-
-
False
-
-
-
Red Hat
-
CVE-2024-10039
-
7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
-
CWE-295
-
org.keycloak/keycloak-core
-
keycloak-core
-
False
-
Important
Security Tracking Issue
Do not make this issue public.
Flaw:
mTLS passthrough
https://bugzilla.redhat.com/show_bug.cgi?id=2319217
Deployments of Keycloak with a reverse proxy not using pass-through
termination of TLS, with mTLS enabled, are affected by an issue where an
attacker on the local network can authenticate as any user or client that
leverages mTLS as the authentication mechanism.
Trusted proxies introduced in Keycloak 26 can mitigate this to some extent
by only accepting certificates from proxy headers if the request is coming
from the IP address of the proxy. However, this is a very weak form of authentication as IP addresses can in many cases be spoofed.
The attacker would need to have access to the local network, and in
addition gain access to the corresponding public certificates, which in
many cases is not the hardest thing to do, especially considering that we
are assuming an insider, or an attacker that has gained access to the local
network.
Additionally, Keycloak can further be configured to not only obtain
certificates through HTTP headers, but also to not validate the
certificates. If this option is enabled for a deployment the attacker does
not have to obtain the actual public certificate, and can simply generate a
random one with for example openssl with whatever subject they want.
~~~
