RHEL 7 : mod_auth_openidc (Unpatched Vulnerability)

2024-05-1100:00:00

www.tenable.com

redhat enterprise linux

mod_auth_openidc

vulnerability

open redirect

aes gcm encryption

denial of service

7.2 High

AI Score

Confidence

High

JSON

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

mod_auth_openidc: open redirect due to target_link_uri parameter not validated (CVE-2021-39191)
mod_auth_openidc: Open Redirect in oidc_validate_redirect_url() using tab character (CVE-2022-23527)
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, oidc_validate_redirect_url() does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. This bug has been fixed in version 2.4.9 by replacing any backslash of the URL to redirect with slashes to address a particular breaking change between the different specifications (RFC2396 / RFC3986 and WHATWG). As a workaround, this vulnerability can be mitigated by configuring mod_auth_openidc to only allow redirection whose destination matches a given regular expression.
(CVE-2021-32786)
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. From 2.4.9 onwards this has been patched to use dynamic values through usage of cjose AES encryption routines. (CVE-2021-32791)
mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like 99999999, the server struggles with the request for a long time and finally gets back with a 500 error.
Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no known workarounds for this vulnerability. (CVE-2024-24814)

Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory mod_auth_openidc. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(195625);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2021-32786",
    "CVE-2021-32791",
    "CVE-2021-39191",
    "CVE-2022-23527",
    "CVE-2024-24814"
  );

  script_name(english:"RHEL 7 : mod_auth_openidc (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 7 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - mod_auth_openidc: open redirect due to target_link_uri parameter not validated (CVE-2021-39191)

  - mod_auth_openidc: Open Redirect in oidc_validate_redirect_url() using tab character (CVE-2022-23527)

  - mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions
    as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions
    prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a
    result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout
    functionality. This bug has been fixed in version 2.4.9 by replacing any backslash of the URL to redirect
    with slashes to address a particular breaking change between the different specifications (RFC2396 /
    RFC3986 and WHATWG). As a workaround, this vulnerability can be mitigated by configuring
    `mod_auth_openidc` to only allow redirection whose destination matches a given regular expression.
    (CVE-2021-32786)

  - mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions
    as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In
    mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and
    AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this
    can lead to known cryptographic issues, since the same key is being reused. From 2.4.9 onwards this has
    been patched to use dynamic values through usage of cjose AES encryption routines. (CVE-2021-32791)

  - mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP
    server that implements the OpenID Connect Relying Party functionality. In affected versions missing input
    validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of
    service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they
    manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like
    99999999, the server struggles with the request for a long time and finally gets back with a 500 error.
    Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests
    that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal
    effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no
    known workarounds for this vulnerability. (CVE-2024-24814)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-39191");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-23527");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_auth_openidc");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'mod_auth_openidc', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'mod_auth_openidc'}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'mod_auth_openidc');
}

VendorProductVersionCPE
redhatenterprise_linux7cpe:/o:redhat:enterprise_linux:7
redhatenterprise_linuxmod_auth_openidcp-cpe:/a:redhat:enterprise_linux:mod_auth_openidc