Full Report
Keyclock is a single sign-on provider. While on a project for a client, they identified a flaw in the authentication system. In Keyclock, the levels of security depend on the level of authentication. First level is just the username and password. Level 2 is username, password and OTP. According to their setup guide, the default browser flow is used by most apps. This levels system sounds good in theory but has a flaw: level 1 authentication has access to account settings. An attacker could login with credentials to a level 1 website, add a new OTP method then use this on the level 2 website. This creates a really dumb bypass for 2FA auth. This vulnerability was known about, according to the security team, but took 10 months to fix. Several of the administrative endpoints were reachable via a unprivileged user. Of these, the testLDAPConnection was the most serious because it could be used to steal LDAP creds by setting a custom connection location. This required some information that could be queried using this same vulnerability on a different API. The final issue was poor brute force protections. The protections were turned off by default but were insufficient anyway. It was possible to send multiple requests simultaneously to allow more login attempts than what should be allowed. Use those locks! Overall, a serious of fairly simple yet impactful bugs. Good writeup!
Analysis Summary
# Vulnerability: Keycloak Authentication Step-Up Bypass and Admin API Exposure
## CVE Details
- **CVE ID**: CVE-2023-3597 (OTP Bypass), CVE-2024-1132 (Brute Force), CVE-2024-1249 (Information Exposure), CVE-2024-2228 (LDAP Credential Theft)
- **CVSS Score**: 7.1 (High) - *Score reflects the most severe flaw, CVE-2023-3597*
- **CWE**: CWE-288 (Authentication Bypass Using an Alternate Path), CWE-307 (Improper Restriction of Excessive Authentication Attempts)
## Affected Systems
- **Products**: Keycloak (Open Source Identity and Access Management)
- **Versions**: Versions prior to 22.0.1 (specific fixes vary by CVE; 23.0.x and 24.0.x series also addressed subsequent flaws)
- **Configurations**: Systems utilizing "Step-up" authentication flows where Level of Authentication (LoA) is enforced for some apps but not the default "account-console."
## Vulnerability Description
Keycloak suffered from multiple architectural flaws:
1. **OTP Bypass**: The "account-console" application was default-configured at LoA1 (password only). An attacker with credentials could access this console to add a new OTP device without solving an existing OTP challenge, effectively bypassing 2FA requirements for higher-security (LoA2) apps.
2. **Admin Endpoint Exposure**: Several administrative endpoints were reachable via unprivileged user tokens.
3. **LDAP Credential Theft**: The `testLDAPConnection` endpoint allowed users to specify a custom connection URL. By pointing this to an attacker-controlled server, the attacker could capture LDAP service account credentials.
4. **Race Condition in Brute Force**: The brute-force protection mechanism failed to account for concurrent requests, allowing multiple simultaneous login attempts to bypass the configured threshold.
## Exploitation
- **Status**: PoC available in technical write-ups; vulnerabilities were identified during professional security assessments.
- **Complexity**: Low to Medium
- **Attack Vector**: Network
## Impact
- **Confidentiality**: High (Theft of LDAP credentials and unauthorized access to 2FA-protected applications).
- **Integrity**: Medium (Ability to modify account security settings/OTP methods).
- **Availability**: Low
## Remediation
### Patches
- Users should upgrade to **Keycloak 24.0.0** or later to ensure all mentioned vulnerabilities (including the administrative endpoint exposures) are addressed.
- The OTP bypass specifically was addressed in **version 22.0.1**.
### Workarounds
- **LoA Configuration**: Manually configure the `account` and `account-console` clients to require LoA2 (OTP) if step-up authentication is used globally.
- **Brute Force**: Enable and strictly configure "Brute Force Detection" in the Realm settings, though note that versions prior to the fix remain susceptible to simultaneous request attacks.
## Detection
- **Indicators of Compromise**: Monitor logs for unauthorized users accessing `/auth/admin/realms/{realm}/testLDAPConnection`. Look for unexpected "Update TOTP" events in user audit logs.
- **Detection Methods**: Audit Keycloak logs for multiple failed login attempts occurring within the same millisecond, indicating a race condition exploit.
## References
- Keycloak Security Advisory (GHSA-4f53-xh3v-g8x4): [https://github.com/keycloak/keycloak/security/advisories/GHSA-4f53-xh3v-g8x4]
- Red Hat Security Portal: [https://access.redhat.com/security/cve/cve-2023-3597]
- Original Research: [https://hnsecurity.it/blog/an-analysis-of-the-keycloak-authentication-system/]