The renowned OpenID Connect (OIDC) identity service, Dex has detected and patched a critical vulnerability. The bug allows a threat actor access to the victim's ID tokens via intercepted authorization code, potentially accessing clients’ applications without authorization. The vulnerability was patched by Sigstore developers Hayden Blauzvern, Bob Callaway, and ‘joernchen', who initially reported the bug.
The open-source sandbox project of Cloud Native Computing Foundation, Dex utilizes an identification layer on top of OAuth 2.0, providing authentication to other applications.
Dex acts as a portal to other identity providers through certain ‘connectors’, ranging from authentication to LDAP servers, SAML providers, or identity providers like GitHub, Google, and Active Directory. As a result, Dex claims 35.6 million downloads to date.
As stated in the Developer's notification, the bug affects “Dex instances with the public clients (and by extension, clients accepting tokens issued by those Dex instances.”
As per the discovery made by security researchers, the threat actor can steal an OAuth authentication code by luring the victim to enter a malicious website and further, leading him into the OIDC flow. Thence the victim is tricked into exchanging the authorization code for a token, which allows access to applications that accept the token. As the exploit can be used multiple times, the threat actor can get a new token every time the old one expires.
The bug thus comes into existence because the authentication process instigates a persistent “connector state parameter" as the request ID to look up the OAuth code.
“Once the user has successfully authenticated, if the webserver is able to call /approval before the victim’s browser calls /approval, then an attacker can fetch the Dex OAuth code which can be exchanged for an ID token using the /token endpoint,” the advisory stated.
The users are advised to update to version 2.35.0, as the vulnerability, having the CVSS rating of 9.3, affects versions 2.34.0 and older.
The bug was fixed by introducing a hash-based message authentication (HMAC) code, that utilizes a randomly generated per-request secret, oblivious to the threat actor, and is persisted between the initial login and the approval request, making the server request unpredictable.
