Keycloak Device Grant Spoofing

Product description

Keycloak is an open source software product to allow single sign-on with identity and access management aimed at modern applications and services.

Details

Affected Keycloak instances do not properly verify the holder of a device code. This might allow an attacker to retrieve access tokens for other clients.

The device authorisation grant provides an OAuth flow which can be used even if the device has no available browser (e.g. an embedded device).

This grant requires three steps:

The client requests a device_code and corresponding user_code for an OAuth client_id. The user_code is presented to a victim.
The user gives consent to the OAuth client by logging into Keycloak and validating the user_code.
The client uses the device_code to retrieve an access token for the client_id on behalf of the user.

CVE-2023-2585 describes an issue where in step 1 device_code and client_id are not linked to each other. Due to this missing link a malicious actor can use a device_code to request access tokens for other OAuth clients. Depending on the available clients, this might grant an attacker an access token for administrative clients on behalf of the user.

Please note, a malicious actor can only request access tokens for clients which have the device authorization grant enabled. By default this setting is not enabled for new Keycloak OAuth clients.

Workarounds

Disable the Keycloak Device Grant flow for all OAuth clients.

Indicators of Compromise

Within the Keycloak AdminUI, check if users have suspicous entries within the User details Consents tab.

Coordinated Disclosure Timeline

12/04/2023 Initial contact with Keycloak security team.
17/04/2023 Acknowledgement of the inital email. Further investigation of the issue is started.
18/04/2023 Internal vulnerability assesement is completed.
26/06/2023 Fix of this vulnerability is commited to the Keycloak respository.
28/06/2023 Release with fix is published.