With 35.6 million downloads the OAuth 2.0 protocol provider has serious downstream attack surface
OpenID Connect (OIDC) identity service Dex has patched a critical vulnerability that would allow an attacker to fetch an ID token through an intercepted authorization code and potentially gain unauthorised access to client applications.
Dex uses OIDC , a simple identity layer on top of the OAuth 2.0 protocol, to power authentication for other apps. It acts as a portal to other identity providers through ‘connectors’, allowing it to defer authentication to LDAP servers, SAML providers, or identity providers such as GitHub, Google, and Active Directory.
Dex, an open source sandbox project from the Cloud Native Computing Foundation, has been downloaded 35.6 million times.
Consent problem
Security researchers discovered that an attacker who can dupe a victim into navigating to a malicious website can steal the OAuth authorization code, exchange it for a token, and then gain access to applications that accept that token. The exploit can be used multiple times, allowing the attacker to get a new token every time the old one expires.
“The cause of the bug is the implementation of the consent page,” Dex maintainer Maksim Nabokikh tells The Daily Swig.
“This page is supposed to protect users from sharing too much profile data with the application. Instead, it created a hole in Dex. If fraudsters can access this page before a user, they can steal not only all the user’s data but also impersonate it.”
Reproduction steps
When the victim navigates to the malicious website, Dex returns a 302 Redirect to the connector IDP, according to a GitHub security advisory. The exploit then involves recording the state parameter value g3dkmpontsr3ugocoddjx72ef, which later becomes the request ID.
The website subsequently redirects the victim’s browser to the connector IDP, to which the user authenticates. And if the user has authenticated before, authentication may be carried out without a challenge, with the connector IDP redirecting the browser to the Dex callback with a code.
Read more of the latest authentication security news
Dex then fetches the user claims from the connector IDP, persisting them and generating an OAuth code, before redirecting the browser to the approval endpoint. The reproduction steps conclude with Dex using the request ID to look up the OAuth code, and building a redirect to the original callback .
The flaw, which has a CVSS rating of 9.3, affects versions 2.34.0 and earlier, with users advised to update to version 2.35.0. Those using Google connector should upgrade to 2.35.1 instead.
The patch was created by Sigstore developers Hayden Blauzvern, Bob Callaway, and ‘joernchen’, the original reporter of the bug.
The fix involved introducing a hash-based message authentication (HMAC) code, which uses a randomly generated per-request secret that can’t be known to an attacker and is persisted between the initial login request and the approval request.
DON’T FORGET TO READ Matrix address flaws that break message encryption assurances