Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability exists in Keycloak's handling of SAML broker endpoints. Keycloak fails to properly validate encrypted SAML assertions when the overall SAML response is not signed. Specifically, while it ensures that plaintext assertions are signed, it does not enforce the same for encrypted assertions."}, {'type': 'paragraph', 'content': 'An attacker who has a valid signed SAML assertion for themselves can craft a malicious SAML response containing two assertions: an encrypted assertion for an arbitrary principal placed first, and a valid signed assertion for the attacker placed second. Keycloak processes the first encrypted assertion without verifying its signature, allowing the attacker to impersonate another user and gain unauthorized access.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to systems protected by Keycloak. An attacker can impersonate arbitrary users by injecting encrypted assertions that are not properly validated, potentially gaining access to sensitive information or performing actions on behalf of other users.

Additionally, this flaw can result in information disclosure and compromise the integrity and confidentiality of user sessions and data.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring SAML responses processed by Keycloak, specifically looking for unsigned SAML responses that contain encrypted assertions placed before valid signed assertions.

You can analyze SAML traffic to identify responses where the overall SAML response is unsigned but contains multiple assertions, with the first assertion being an encrypted assertion.

Commands or tools to assist in detection might include:

• Using network capture tools like tcpdump or Wireshark to capture SAML traffic on the network.
• Extracting and inspecting SAML responses with XML parsing tools or scripts to check the signature status of the response and the order and signature status of assertions.
• Example command to capture traffic on port 8080 (default Keycloak port): `tcpdump -i any port 8080 -w saml_traffic.pcap`
• Use XML parsing tools or custom scripts to analyze the captured SAML responses for unsigned responses containing encrypted assertions placed first.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating Keycloak to a version where this vulnerability is fixed, as the issue arises from improper validation of encrypted assertions.

Until an update is applied, consider the following:

• Enforce strict validation policies on SAML responses, ensuring that the entire SAML response is signed, not just individual assertions.
• Restrict or monitor SAML broker endpoint access to trusted sources only.
• Review and audit SAML assertions and responses for anomalies such as unsigned responses containing encrypted assertions.
• Apply network-level controls to detect and block suspicious SAML traffic patterns.

Useful 0 Not Useful 0