CVE-2022-39222: Authentication bypass bug in openID connect provider Dex

The dexidp maintainer sagikazarmark has warned of a security flaw affecting Dex that could potentially allow an attacker to fetch an ID token through an intercepted authorization code and potentially gain unauthorized access to client applications.

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex acts as a portal to other identity providers through “connectors.” This lets dex defer authentication to LDAP servers, SAML providers, or established identity providers like GitHub, Google, and Active Directory. Clients write their authentication logic once to talk to dex, then dex handles the protocols for a given backend.

Tracked as CVE-2022-39222 (CVSS score: 9.3), the critical flaw relates to an authentication bypass vulnerability that may permit an unauthenticated adversary to steal the OAuth authorization code in the process via tricking a victim to navigate to a malicious website and guiding them through the OIDC flow.

“Once the user has successfully authenticated, if the webserver is able to call /approval before the victim’s browser calls /approval, then an attacker can fetch the Dex OAuth code which can be exchanged for an ID token using the /token endpoint,” the advisory explained.

Steps to reproduce

1. A victim navigates to a malicious website

2. The webserver initiates a connection with a Dex instance directly – https://dexexample.com/auth/https:%252F%252Faccounts.google.com?access_type=online&client_id=example&nonce=2AaJAimQU9CbeOFsNra1d7CJTWB&redirect_uri=http%3A%2F%2Flocalhost%3A40393%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=2AaJAjhpUmsB25csCo5muvorMTl. In this example, the Dex instance is hosted on dexexample.com, and the connector is accounts.google.com.

3. Dex returns a 302 Redirect to the connector IDP, https://accounts.google.com/o/oauth2/v2/auth?client_id=237800849078-hri2ndt7gdafpf34kq8crd5sik9pe3so.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Fdexexample.com%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=g3dkmpontsr3ugocoddjx72ef. The attacker records the state parameter value g3dkmpontsr3ugocoddjx72ef which will be used as the request ID later on.

4. The malicious website redirects the victim’s browser to the connector IDP.

5. The user authenticates to the connector IDP. If they have authenticated before, they may not be presented with an authentication challenge. The user will silently be taken through the following steps:

   Authentication with the connector IDP, which redirects the browser to the Dex callback with a code – https://dexexample.com/callback?state=g3dkmpontsr3ugocoddjx72ef&code=4%2F0AX4XfWizg1PQEQNl18hmP0_YQ3iUYII2ed13n9ikKr_ZcV7uCZpZaPcIlxBzX5QwFIcs-w&scope=email+openid+https%3A%2F%[2Fwww.googleapis.com](http://2fwww.googleapis.com/)%2Fauth%2Fuserinfo.email&authuser=0&hd=[google.com](http://google.com/)&prompt=none

   Dex handles the callback, fetching the user claims from the connector IDP, persisting them, and generating an OAuth code. Then Dex redirects the browser to the approval endpoint https://dexexample.com/approval?req=g3dkmpontsr3ugocoddjx72ef. Note that the req parameter is the same as the attacker’s recorded state parameter.

   Dex uses the request ID to look up the OAuth code and builds a redirect to the original callback with the code – http://localhost:40393/auth/callback?code=bz5p3oov2wlh5k3rboa4atxas&state=2AaJAjhpUmsB25csCo5muvorMTl.

CVE-2022-39222 impacts version 2.34.0 and earlier and has been addressed in Dex version 2.35.0 released this week. It  is strongly recommended all users with vulnerable versions perform an immediate upgrade