-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-080 Product: ForgeRock Access Management Manufacturer: ForgeRock / Ping Identity Affected Version(s): 7.5.0, 7.4.1, 7.3.1, 7.2.2, 7.1.4, 7.0.2 (and older unsupported versions) Tested Version(s): 7.3.0 Vulnerability Type: Open Redirect (CWE-601) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2024-09-16 Solution Date: 2024-10-29 Public Disclosure: 2024-11-08 CVE Reference: CVE-2024-25566 Author of Advisory: Sebastian Schuberth, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: ForgeRock Access Management (AM) is an access management solution that provides various methods of authentication and authorization for integration into web applications. This includes single sign-on (SSO), OAuth 2.0 and OpenID Connect. The manufacturer describes the product as follows (see [1]): "AM provides a service called access management, which manages access to resources, such as a web page, an application, or a web service, that are available over the network. Once it is set up, AM provides an infrastructure for managing users, roles, and access to resources." Due to missing validation checks of the provided redirect URL, the software is affected by an open redirect vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: ForgeRock AM provides an allowlisting mechanism for allowed redirection URLs. URLs that are not explicitly allowed are rejected. In the "authorize" endpoint, the presence of the query parameters "response_type=none" and "id_token_hint", however, skips the validation of the redirect URL provided inside the "redirect_uri" parameter. As a prerequisite, the response type "none" must not be supported by the client. Exploiting the vulnerability will lead to redirections to arbitrary websites before the actual login, which allows for phishing of user credentials and other attack vectors that need a user to visit a manipulated site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following link results in a redirect to the domain https://example.org: https:///oauth2/realms/root/authorize?redirect_uri=https://example.org&response_type=none&id_token_hint= ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install the patch provided by the vendor.[3] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-09-11: Vulnerability discovered 2024-09-16: Vulnerability reported to vendor 2024-09-23: Vulnerability confirmed by vendor 2024-10-29: Patches released by vendor 2024-11-08: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for ForgeRock Access Management https://backstage.forgerock.com/docs/am/7.5/eval-guide/about-am.html [2] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [3] ForgeRock AM Security Advisory #202403 https://backstage.forgerock.com/knowledge/advisories/article/a63463303 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Schuberth of SySS GmbH. E-Mail: sebastian.schuberth@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Schuberth.asc Key Fingerprint: D7FA E7C7 E3D1 3744 F2EA 3930 25F1 EC3C D2CE A9E1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1/rnx+PRN0Ty6jkwJfHsPNLOqeEFAmco26AACgkQJfHsPNLO qeE0/A/+JiYA3aKCMhnueBOK8WEFmTulB7EToGu8crhkg/KWEEoG8DPSmjbiO8bu 5ujjLswjN12eiha+TPuMd2B3zgyrO0v+03w/j9LDo3bG4BRpbwjkahjLjka4NvJZ wnsgVTo+YnvH+LT1wifAYuow9bvMEZ70LRWS9iam4xpnFynhvNa2DhyAp8IDJxlw G4RfYzbDwM28ftTkUieBH+lhhL6ZtKExTBEZR9Fr+nQOPX4dXKJMm4jZX7XcucQ7 skno5Z1GpKksxTX55/fX8Yi+blgki2T7k6PVJnf3oiOMFlwW13hNnvdhwD+EebGb cHiAtVVbzayONurv42tFdmoT4D6mN0JjqsyU63F1TXZYHafyzaAq1p0lkanbtllH QTN9PL2WoF+ZWGdn8jcLcNMXrETAUDzJEOuh03k4ndlPqA6fWpt8DShLOq0yW3iM Jvw6HjB+o0Oc+WpUhifyYjqUeVphz2zjNU6CXSk6tJ3rHiCteA0vERx3haJxxSnO jqplaxgphLVFDMgPcJHK6z5vNVG9ZJHNQMrsKVybbW6gh+cbKgRrbPPjnB6Tpzmh 44J905fdIYEqB9yW2JmaXvqJENrrPaKnE7LjUa+aKbe9TbsVp8doRNJdb4/mZQ+D VUAcAxbsc5gLyUcD24VXwfKCy00T60I7M20bPdsm1H/a73ECVYY= =FbLc -----END PGP SIGNATURE-----