Listen to this Post
The vulnerability (CVE-2024-2418) in Keycloak’s `KeycloakRealmImport` custom resource stems from its placeholder substitution mechanism. During the import of a realm configuration document, the operator replaces placeholders, typically formatted like ${ENV_VAR}, with values from environment variables. This feature, intended for configuration flexibility, becomes an injection vector when an attacker controls the realm import document. A maliciously crafted realm file can contain placeholders in specific configuration fields that are processed during the import. By injecting these placeholders, an attacker can manipulate the final, parsed realm configuration. This manipulation could alter security settings, client definitions, or user roles, leading to a full compromise of the Keycloak instance’s security and functionality. The injected values are executed in the context of the Keycloak operator, allowing for significant unintended changes.
Platform: Keycloak
Version: Before 24.0.2
Vulnerability: Injection Attack
Severity: Critical
date: 2024-04-09
Prediction: 2024-04-23
What Undercode Say:
kubectl get keycloakrealmimports -n keycloak
Malicious realm import example
apiVersion: k8s.keycloak.org/v2alpha1
kind: KeycloakRealmImport
metadata:
name: malicious-realm
spec:
realm:
displayName: "${JAVA_OPTS:-Injected}"
... other realm config with placeholders
env | grep KEYCLOAK kubectl describe pod keycloak-operator
How Exploit:
An attacker with permissions to create or update a KeycloakRealmImport resource crafts a YAML file containing placeholders referencing sensitive environment variables or injecting arbitrary configuration. Upon processing by the Keycloak operator, these placeholders are resolved, altering the realm’s security configuration to create admin users, modify client redirect URIs, or change identity provider settings, leading to authentication bypass or data exfiltration.
Protection from this CVE
Upgrade to Keycloak 24.0.2 or later which disables the problematic placeholder substitution. For immediate mitigation, restrict RBAC permissions to prevent unauthorized users from applying KeycloakRealmImport custom resources. Audit all existing realm imports for malicious placeholders and validate realm configuration files before applying them.
Impact:
Complete compromise of the Keycloak authentication service, enabling privilege escalation, unauthorized access to protected applications, and modification of user identities and federation settings.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
