csaf_certbund - wid-sec-w-2024-3725

WID-SEC-W-2024-3725

Vulnerability from csaf_certbund - Published: 2024-12-18 23:00 - Updated: 2024-12-18 23:00

Summary

Apache Kafka: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Apache Kafka ist eine verteilte Streaming-Plattform mit einer Publish-Subcribe-Architektur (Pub-Sub).

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Kafka ausnutzen, um Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme

- Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache Kafka ist eine verteilte Streaming-Plattform mit einer Publish-Subcribe-Architektur (Pub-Sub).",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Kafka ausnutzen, um Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-3725 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3725.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-3725 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3725"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker #2333013 vom 2024-12-18",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333013"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2024-12-18",
        "url": "https://github.com/advisories/GHSA-p7c9-8xx8-h74f"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache Kafka: Schwachstelle erm\u00f6glicht Umgehen von Sicherheitsvorkehrungen",
    "tracking": {
      "current_release_date": "2024-12-18T23:00:00.000+00:00",
      "generator": {
        "date": "2024-12-19T09:12:23.978+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2024-3725",
      "initial_release_date": "2024-12-18T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-12-18T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c3.7.2",
                "product": {
                  "name": "Apache Kafka \u003c3.7.2",
                  "product_id": "T039930"
                }
              },
              {
                "category": "product_version",
                "name": "3.7.2",
                "product": {
                  "name": "Apache Kafka 3.7.2",
                  "product_id": "T039930-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:kafka:3.7.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c3.8.1",
                "product": {
                  "name": "Apache Kafka \u003c3.8.1",
                  "product_id": "T039931"
                }
              },
              {
                "category": "product_version",
                "name": "3.8.1",
                "product": {
                  "name": "Apache Kafka 3.8.1",
                  "product_id": "T039931-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:kafka:3.8.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Kafka"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-56128",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Apache Kafka. Diese Schwachstelle betrifft die Implementierung des Salted Challenge Response Authentication Mechanism (SCRAM) aufgrund einer unsachgem\u00e4\u00dfen Eingabevalidierung. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um die Authentifizierung zu umgehen. Die Ausnutzung dieser Schwachstelle erfordert eine SCRAM-Authentifizierung \u00fcber Klartextkommunikation und den Zugriff des Angreifers auf den abgefangenen Authentifizierungsaustausch."
        }
      ],
      "product_status": {
        "known_affected": [
          "T039931",
          "T039930"
        ]
      },
      "release_date": "2024-12-18T23:00:00.000+00:00",
      "title": "CVE-2024-56128"
    }
  ]
}

CVE-2024-56128 (GCVE-0-2024-56128)

Vulnerability from cvelistv5 – Published: 2024-12-18 13:38 – Updated: 2024-12-18 17:02

Summary

Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1]. Specifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. However, Kafka's SCRAM implementation did not perform this validation. Impact: This vulnerability is exploitable only when an attacker has plaintext access to the SCRAM authentication exchange. However, the usage of SCRAM over plaintext is strongly discouraged as it is considered an insecure practice [2]. Apache Kafka recommends deploying SCRAM exclusively with TLS encryption to protect SCRAM exchanges from interception [3]. Deployments using SCRAM with TLS are not affected by this issue. How to Detect If You Are Impacted: If your deployment uses SCRAM authentication over plaintext communication channels (without TLS encryption), you are likely impacted. To check if TLS is enabled, review your server.properties configuration file for listeners property. If you have SASL_PLAINTEXT in the listeners, then you are likely impacted. Fix Details: The issue has been addressed by introducing nonce verification in the final message of the SCRAM authentication exchange to ensure compliance with RFC 5802. Affected Versions: Apache Kafka versions 0.10.2.0 through 3.9.0, excluding the fixed versions below. Fixed Versions: 3.9.0 3.8.1 3.7.2 Users are advised to upgrade to 3.7.2 or later to mitigate this issue. Recommendations for Mitigation: Users unable to upgrade to the fixed versions can mitigate the issue by: - Using TLS with SCRAM Authentication: Always deploy SCRAM over TLS to encrypt authentication exchanges and protect against interception. - Considering Alternative Authentication Mechanisms: Evaluate alternative authentication mechanisms, such as PLAIN, Kerberos or OAuth with TLS, which provide additional layers of security.

Severity ?

No CVSS data available.

CWE

CWE-303 - Incorrect Implementation of Authentication Algorithm

Assigner

apache

References

URL

Tags

	https://datatracker.ietf.org/doc/html/rfc5802	related
	https://datatracker.ietf.org/doc/html/rfc5802#section-9	related
	https://kafka.apache.org/documentation/#security_…
	https://lists.apache.org/thread/84dh4so32lwn7wr6c…	vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Kafka	Affected: 0.10.2.0 , < 3.7.2 (semver) Affected: 3.8.0 (semver)

Credits

Tim Fox (timvolpe@gmail.com) Vikas Singh <vikas@confluent.io>

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56128",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-18T16:15:35.208336Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-18T16:19:50.073Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-12-18T17:02:47.926Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2024/12/18/3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Kafka",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "3.7.2",
              "status": "affected",
              "version": "0.10.2.0",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "3.8.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Tim Fox (timvolpe@gmail.com)"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Vikas Singh \u003cvikas@confluent.io\u003e"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIncorrect Implementation of Authentication Algorithm in Apache Kafka\u0027s SCRAM implementation.\u003cbr\u003e\u003cbr\u003eIssue Summary:\u003cbr\u003eApache Kafka\u0027s implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1].\u003cbr\u003eSpecifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message.\u003cbr\u003eHowever, Kafka\u0027s SCRAM implementation did not perform this validation.\u003cbr\u003e\u003cbr\u003eImpact:\u003cbr\u003eThis vulnerability is exploitable only when an attacker has plaintext access to the SCRAM authentication exchange. However, the usage of SCRAM over plaintext is strongly\u003cbr\u003ediscouraged as it is considered an insecure practice [2]. Apache Kafka recommends deploying SCRAM exclusively with TLS encryption to protect SCRAM exchanges from interception [3].\u003cbr\u003eDeployments using SCRAM with TLS are not affected by this issue.\u003c/p\u003eHow to Detect If You Are Impacted:\u003cbr\u003eIf your deployment uses SCRAM authentication over plaintext communication channels (without TLS encryption), you are likely impacted.\u003cbr\u003eTo check if TLS is enabled, review your server.properties configuration file for listeners property. If you have SASL_PLAINTEXT in the listeners, then you are likely impacted.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eFix Details:\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eThe issue has been addressed by introducing nonce verification in the final message of the SCRAM authentication exchange to ensure compliance with RFC 5802.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eAffected Versions:\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eApache Kafka versions 0.10.2.0 through 3.9.0, excluding the fixed versions below.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eFixed Versions:\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e3.9.0\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e3.8.1\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e3.7.2\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eUsers are advised to upgrade to 3.7.2 or later to mitigate this issue.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eRecommendations for Mitigation:\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eUsers unable to upgrade to the fixed versions can mitigate the issue by:\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e- Using TLS with SCRAM Authentication:\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eAlways deploy SCRAM over TLS to encrypt authentication exchanges and protect against interception.\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e- Considering Alternative Authentication Mechanisms:\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eEvaluate alternative authentication mechanisms, such as PLAIN, Kerberos or OAuth with TLS, which provide additional layers of security.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "Incorrect Implementation of Authentication Algorithm in Apache Kafka\u0027s SCRAM implementation.\n\nIssue Summary:\nApache Kafka\u0027s implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1].\nSpecifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message.\nHowever, Kafka\u0027s SCRAM implementation did not perform this validation.\n\nImpact:\nThis vulnerability is exploitable only when an attacker has plaintext access to the SCRAM authentication exchange. However, the usage of SCRAM over plaintext is strongly\ndiscouraged as it is considered an insecure practice [2]. Apache Kafka recommends deploying SCRAM exclusively with TLS encryption to protect SCRAM exchanges from interception [3].\nDeployments using SCRAM with TLS are not affected by this issue.\n\nHow to Detect If You Are Impacted:\nIf your deployment uses SCRAM authentication over plaintext communication channels (without TLS encryption), you are likely impacted.\nTo check if TLS is enabled, review your server.properties configuration file for listeners property. If you have SASL_PLAINTEXT in the listeners, then you are likely impacted.\n\nFix Details:\nThe issue has been addressed by introducing nonce verification in the final message of the SCRAM authentication exchange to ensure compliance with RFC 5802.\n\nAffected Versions:\nApache Kafka versions 0.10.2.0 through 3.9.0, excluding the fixed versions below.\n\nFixed Versions:\n3.9.0\n3.8.1\n3.7.2\n\nUsers are advised to upgrade to 3.7.2 or later to mitigate this issue.\n\nRecommendations for Mitigation:\nUsers unable to upgrade to the fixed versions can mitigate the issue by:\n- Using TLS with SCRAM Authentication:\nAlways deploy SCRAM over TLS to encrypt authentication exchanges and protect against interception.\n- Considering Alternative Authentication Mechanisms:\nEvaluate alternative authentication mechanisms, such as PLAIN, Kerberos or OAuth with TLS, which provide additional layers of security."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-303",
              "description": "CWE-303 Incorrect Implementation of Authentication Algorithm",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-18T13:38:03.068Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "related"
          ],
          "url": "https://datatracker.ietf.org/doc/html/rfc5802"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://datatracker.ietf.org/doc/html/rfc5802#section-9"
        },
        {
          "url": "https://kafka.apache.org/documentation/#security_sasl_scram_security"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/84dh4so32lwn7wr6c5s9mwh381vx9wkw"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-56128",
    "datePublished": "2024-12-18T13:38:03.068Z",
    "dateReserved": "2024-12-16T14:52:48.326Z",
    "dateUpdated": "2024-12-18T17:02:47.926Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2024-3725

CVE-2024-56128 (GCVE-0-2024-56128)

Tags

Sightings

Nomenclature