Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: HIGH VULNERABILITY IN KEYCLOAK COULD LEAD TO PRIVILEGE ESCALATION AND IMPERSONATION. PATCH IMMEDIATELY!
Image
Published : 25/09/2024
Reference:
Advisory #2024-228
Version:
1.1
Affected software:
Keycloak
Type:
Privilege escalation and impersonation
CVE/CVSS:
CVE-2024-8698
CVSS: 7.7 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L)
Sources
- https://github.com/keycloak/keycloak/blob/main/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java#L415
- https://www.tenable.com/cve/CVE-2024-8698
Risks
In September 2024, Keycloak released an advisory addressing a high vulnerability affecting all Keycloak versions prior to version 25.0.6. Threat actors could exploit this vulnerability to escalate privileges and carry out impersonation attacks.
Keycloak is an open source identity and access management solution. It is integrated in numerous popular products.
At this time, Keycloak is not aware of any active exploitation of this vulnerability (cut-off date: 14 Octobre 2024).
Exploitation of this vulnerability can have a high impact on confidentiality, with lower impacts on integrity and availability.
Update 14/10/2024: A Github user posted a public release of a Proof of Concept exploit. This raises the risk, as it makes exploitation by threat actors more likely. Immediate action is advised to mitigate this heightened threat.
Description
CVE-2024-8698 is a privilege escalation and impersonation vulnerability located in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element.
Successful exploitation of this vulnerability would enable attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Keycloak reports this vulnerability is addressed in version 25.0.6.
As Keycloak is a component in multiple products, it is recommended to also implement the updates from other vendors who rely on Keycloak for identity and access management.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via:https://ccb.belgium.be/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.