Summary: A critical vulnerability (CVE-2024-8698) has been identified in Keycloak’s SAML signature validation process, potentially allowing attackers to bypass authentication and escalate privileges. This flaw affects Keycloak versions up to 25.0.5 and has been patched in version 25.0.6, necessitating immediate updates for all deployments.
Threat Actor: Malicious Actors | malicious actors
Victim: Keycloak Users | Keycloak users
Key Point :
- Vulnerability CVE-2024-8698 allows bypassing of authentication mechanisms in Keycloak.
- Attackers can exploit the flaw to impersonate users or escalate privileges within systems.
- Keycloak versions up to 25.0.5 are affected; users must upgrade to version 25.0.6 or later.
In a concerning development for organizations relying on Keycloak for secure identity and access management, a high-severity vulnerability has been discovered in its SAML signature validation process. Tracked as CVE-2024-8698, this flaw could allow malicious actors to bypass authentication mechanisms, leading to potential privilege escalation and user impersonation attacks.
The vulnerability resides within Keycloak’s XMLSignatureUtil class, responsible for verifying SAML signatures. The class incorrectly determines whether a signature applies to the entire SAML document or specific assertions based solely on the signature’s position within the XML structure. This oversight disregards the crucial “Reference” element, which explicitly identifies the signed portion of the document.
Exploiting this flaw, an attacker can craft malicious SAML responses that include both a valid, signed assertion and an unsigned one. By strategically placing the unsigned assertion, they can trick Keycloak’s faulty validation logic into accepting the entire response, even though a critical part remains unverified.
The implications of this vulnerability are severe. In the context of an identity provider (IdP), a successful exploit could allow an attacker to gain unauthorized access to a high-privileged account, effectively compromising the entire system. Similarly, within a service provider (SP), an attacker could impersonate a legitimate user, gaining access to resources they are not authorized to use.
Keycloak versions up to and including 25.0.5 are susceptible to this vulnerability. The issue has been addressed in version 25.0.6. It is strongly recommended that all Keycloak deployments be updated to this or a later version immediately.
Related Posts:
Source: https://securityonline.info/cve-2024-8698-keycloak-vulnerability-puts-saml-authentication-at-risk