Talos Vulnerability Report

TALOS-2023-1907

instipod DuoUniversalKeycloakAuthenticator challenge information disclosure vulnerability

December 23, 2023

CVE Number

CVE-2023-49594

SUMMARY

An information disclosure vulnerability exists in the challenge functionality of instipod DuoUniversalKeycloakAuthenticator 1.0.7 plugin. A specially crafted HTTP request can lead to a disclosure of sensitive information. A user logging into Keycloak using DuoUniversalKeycloakAuthenticator plugin triggers this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

instipod DuoUniversalKeycloakAuthenticator 1.0.7

PRODUCT URLS

DuoUniversalKeycloakAuthenticator - <https://github.com/instipod/DuoUniversalKeycloakAuthenticator&gt;

CVSSv3 SCORE

4.5 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-201 - Information Exposure Through Sent Data

DETAILS

DuoUniversalKeycloakAuthenticator is an authentication solution for Keycloak leveraging Duo’s Java Universal Prompt SDK to prompt users for Duo Multi-Factor Authentication (MFA) within the context of a Keycloak login process.

A completely unaware user can inadvertently expose their own credentials to the duosecurity.com site simply by logging into a Keycloak server that utilizes the DuoUniversalKeycloakAuthenticator plugin. The new Keycloak extension for Duo, when detecting that initial authentication has succeeded with Keycloak, redirects your browser to the configured duosecurity.com endpoint. This is expected. Unfortunately it performs this redirection via Response.temporaryRedirect.

Vulnerable code line 284:

Line 282        try {
Line 283            String startingUrl = duoClient.createAuthUrl(username, loginState);
Line 284            authenticationFlowContext.challenge(Response.temporaryRedirect(new URI(startingUrl)).build());
Line 285        } catch (Exception exception) {
Line 286            if (authConfig.getConfig().getOrDefault(DuoUniversalAuthenticatorFactory.DUO_FAIL_SAFE, "true").equalsIgnoreCase("false")) {
Line 287                // fail secure, deny login
Line 288                authenticationFlowContext.failure(AuthenticationFlowError.INVALID_CREDENTIALS);
Line 289            } else {
Line 290                authenticationFlowContext.success();
Line 291            }
Line 292        }
Line 293    }

Response.temporaryRedirect uses HTTP code 307. This is problematic because 307 instructs the browser to visit the new location using the same METHOD and body parameters as the original request. This means that when your browser redirects to duosecurity.com it sends your username and password to Duo as well, as a POST with your username/password was the request that caused the 307 redirect. Anyone using this extension sends their usernames/passwords to Duo every time they authenticate to their Keycloak instance and perform MFA. This behavior is present in all versions of the “DuoUniversalKeycloakAuthenticator” extension.

VENDOR RESPONSE

Fixed in version 1.0.8, see https://github.com/instipod/DuoUniversalKeycloakAuthenticator/releases/tag/1.0.8

TIMELINE

2023-12-20 - Initial Vendor Contact
2023-12-21 - Vendor Disclosure
2023-12-23 - Public Release

Credit

Benjamin Taylor of Cisco ASIG

---

Vulnerability Reports Next Report

TALOS-2023-1909

Previous Report

TALOS-2023-1860