CVE-2024-8698: Keycloak Vulnerability Puts SAML Authentication at Risk
In a concerning development for organizations relying on Keycloak for secure identity and access management, a high-severity vulnerability has been discovered in its SAML signature validation process. Tracked as CVE-2024-8698, this flaw could allow malicious actors to bypass authentication mechanisms, leading to potential privilege escalation and user impersonation attacks.
The vulnerability resides within Keycloak’s XMLSignatureUtil class, responsible for verifying SAML signatures. The class incorrectly determines whether a signature applies to the entire SAML document or specific assertions based solely on the signature’s position within the XML structure. This oversight disregards the crucial “Reference” element, which explicitly identifies the signed portion of the document.
Exploiting this flaw, an attacker can craft malicious SAML responses that include both a valid, signed assertion and an unsigned one. By strategically placing the unsigned assertion, they can trick Keycloak’s faulty validation logic into accepting the entire response, even though a critical part remains unverified.
The implications of this vulnerability are severe. In the context of an identity provider (IdP), a successful exploit could allow an attacker to gain unauthorized access to a high-privileged account, effectively compromising the entire system. Similarly, within a service provider (SP), an attacker could impersonate a legitimate user, gaining access to resources they are not authorized to use.
Keycloak versions up to and including 25.0.5 are susceptible to this vulnerability. The issue has been addressed in version 25.0.6. It is strongly recommended that all Keycloak deployments be updated to this or a later version immediately.
