Skip to content

OIDC Authenticator Vulnerability in Conjur Open Source

Critical
ismarc published GHSA-6xj8-59gr-4jp3 Jul 28, 2021

Package

Conjur OSS

Affected versions

1.9.0 to 1.12.0

Patched versions

1.13.0

Description

Executive Summary

A recently identified vulnerability in the OIDC Authenticator component of Conjur has the potential to enable a user to authenticate successfully without having an ID token.

Affected Software

The OIDC Authenticator component of Conjur Open Source (1.9.0 through 1.12.0 (inclusive)).

Detailed Explanation

When a user sends a manipulated OIDC authentication request, it can lead to a potential bypass. If the following conditions are met, the manipulated request will successfully authenticate:

• OIDC Authenticator is enabled
• The user is permitted to authenticate with the OIDC webservice

Recommendations

CyberArk highly recommends that all users using the OIDC Authenticator in the affected versions:

• Upgrade to version 1.13.0
• Until then, disable the OIDC Authenticator component.
• If you have sufficient logs, determine if you have been compromised by following the steps detailed in the FAQ.

CyberArk also highly recommends that all users using the affected versions of Conjur upgrade to version 1.13.0, in case they use the OIDC Authenticator in the future.

Frequently Asked Questions (FAQ)

  • I am using the affected version but did not enable the OIDC Authenticator. Is my organization at risk?

No. This vulnerability only puts at risk those users who enabled the OIDC Authenticator. However, it is recommended that you upgrade to version 1.13.0 in case you use the OIDC Authenticator in the future.

  • How can I tell if my organization has been compromised?

The following steps enable you to identify if your organization has been compromised during the period for which you have available logs:

  1. Run the docker logs <conjur_dns> | grep "Started POST \"/authn-oidc\|Completed" command,
  2. Review each entry that contains 'Started POST "/authn-oidc'.
    1. If there is a user ID before '/authenticate', check the "Completed" message that follows. If the message is "Completed 200", your organization may have been compromised.
    2. If there is no user ID before '/authenticate', or if the "Completed" message does not contain "Completed 200", your organization has not been compromised by this vulnerability.
  • Is there a public exploit for this vulnerability?

No. This vulnerability was discovered internally by CyberArk. CyberArk has not received any information that indicates that this vulnerability has been publicly exploited.

For more information

If you have any questions or comments about this advisory, please email us at security@conjur.org.

Severity

Critical

CVE ID

No known CVE

Weaknesses