Executive Summary

This vulnerability is a session fixation flaw found in Keycloak's login-actions endpoints. An attacker who is not authenticated can create an authentication session in advance and then trick a victim into clicking a specially crafted link. The vulnerability exists because the /login-actions/restart endpoint processes session handles without proper CSRF protection or verifying cookie ownership. This allows the attacker to reset the authentication flow state, causing Single Sign-On (SSO) to authenticate the victim silently when they click the link. As a result, the attacker can hijack the required-action form without needing the victim's credentials.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to completely take over user accounts, including highly privileged administrative accounts, without needing the victim's credentials.

Such unauthorized access and account takeover can lead to breaches of sensitive personal data and administrative controls, which may violate data protection regulations like GDPR and HIPAA that require strict access controls and protection of personal information.

Therefore, exploitation of this vulnerability could result in non-compliance with these common standards and regulations due to potential unauthorized data access and compromise of system integrity.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for suspicious requests to the /login-actions/restart endpoint, especially those lacking CSRF tokens or originating from unauthenticated sources.

Network administrators can inspect HTTP logs or use tools like curl or wget to test the endpoint behavior by sending crafted requests without valid session cookies or CSRF tokens to see if the authentication flow state can be reset.

• Example command to test the endpoint: curl -v -X POST 'https://<keycloak-server>/login-actions/restart' -d 'session=<session_handle>' without valid CSRF token or cookie.
• Monitor web server logs for unusual POST requests to /login-actions/restart that do not include CSRF tokens or originate from unexpected IP addresses.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying any available patches or updates from the Keycloak maintainers that address this session fixation vulnerability.

If patches are not immediately available, restrict access to the /login-actions/restart endpoint by implementing additional CSRF protections and validating cookie ownership to prevent unauthorized session resets.

Additionally, monitor and audit authentication flows for suspicious activity and consider temporarily disabling or restricting Single Sign-On (SSO) features until the vulnerability is resolved.

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability can be severe. A successful exploit can lead to complete account takeover, including highly privileged administrative accounts such as the master-realm admin. This means an attacker could gain full control over the affected Keycloak deployment, potentially compromising all user accounts and sensitive data managed by the system.

Useful 0 Not Useful 0