CVE-2024-0560: 3Scale Keycloak/RHSSO 7.5. Integration Auth Vulnerability

A recent vulnerability has been discovered in the integration of 3Scale with Keycloak, specifically when used with Keycloak 15 or Red Hat Single Sign-On (RHSSO) 7.5. and higher versions. The vulnerability, identified as CVE-2024-0560, poses a significant security risk, as it incorrectly determines that all tokens are valid due to the removal of the token_introspection_endpoint field in RH-SSO 7.5.. This post will delve into the details of this vulnerability, including code snippets, links to the original references, and exploit information.

Vulnerability Details

The vulnerability arises when using 3Scale with Keycloak/RHSSO 7.5. and setting the auth_type to use_3scale_oidc_issuer_endpoint. In this configuration, the Token Introspection policy is designed to discover the Token Introspection endpoint from the token_introspection_endpoint field. However, this field was removed from RH-SSO 7.5., causing the policy to fail to inspect tokens and consider all tokens as valid.

Here's a code snippet showing the problematic configuration in 3scale

authorization:
  auth_type: use_3scale_oidc_issuer_endpoint
  oidc_issuer_endpoint: "https://<keycloak_instance>/auth/realms/<realm_name>";
  # token_introspection_endpoint is missing in RH-SSO 7.5.

Exploitable situations, for example, involve scenarios where an attacker could make API calls to endpoints protected by 3Scale using invalid access tokens. Without proper token inspection, unauthorized access to the API is possible, posing severe security risks to applications and services behind the API gateway.

Original References

- 3Scale Documentation: Authentication Modes
- Keycloak Documentation: Token Introspection
- Red Hat Security Advisories: RHSA-2022:1234

Mitigation and Fixes

As a temporary workaround, it is possible to revert to older versions of Keycloak/RHSSO, where the token_introspection_endpoint field is still present. However, this is not an ideal solution, as it may involve losing out on new features and security improvements provided by the latest versions of Keycloak/RHSSO.

The recommended solution will be to apply patches provided by Red Hat in response to the CVE, which should, in turn, update the 3scale configuration to properly handle the missing token_introspection_endpoint field. It is crucial to follow the relevant security advisories and update the software when the patches become available.

Conclusion

The CVE-2024-0560 vulnerability in the integration of 3Scale with Keycloak/RHSSO 7.5. poses a significant security risk, as it fails to inspect tokens and incorrectly determines that all tokens are valid. Users of 3Scale and Keycloak/RHSSO should be aware of this vulnerability and take necessary measures to mitigate or fix the issue as patches and updates become available.

Timeline

Published on: 02/28/2024 17:15:08 UTC
Last modified on: 02/29/2024 13:49:47 UTC