CVE-2021-4133
📋 TL;DR
This vulnerability allows any authenticated user in Keycloak to create new default user accounts via the administrative REST API, even when new user registration is disabled. This affects Keycloak versions from 12.0.0 up to but not including 15.1.1. Attackers with existing user accounts can exploit this to create unauthorized accounts.
💻 Affected Systems
- Keycloak
📦 What is this software?
Keycloak by Redhat
⚠️ Risk & Real-World Impact
Worst Case
Attackers create administrative accounts, gain full control over the Keycloak instance, and compromise all managed identities and authentication flows.
Likely Case
Attackers create unauthorized user accounts to maintain persistence, escalate privileges, or conduct further attacks within the system.
If Mitigated
With proper network segmentation and access controls, impact is limited to the Keycloak instance itself without lateral movement.
🎯 Exploit Status
Exploitation requires an existing user account but uses standard API calls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.1.1
Vendor Advisory: https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487
Restart Required: Yes
Instructions:
1. Upgrade Keycloak to version 15.1.1 or later. 2. Restart the Keycloak service. 3. Verify the version after restart.
🔧 Temporary Workarounds
Restrict Administrative API Access
allLimit network access to the Keycloak administrative REST API endpoints to only trusted administrative networks.
Configure firewall rules to restrict access to Keycloak admin endpoints (typically port 8080 or 8443 for admin console)
Implement API Gateway Controls
allUse an API gateway or web application firewall to block unauthorized user creation requests.
Configure WAF rules to block POST requests to /auth/admin/realms/*/users from non-admin users
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Keycloak administrative interfaces from regular user networks.
- Enhance monitoring and alerting for user creation events, especially from non-admin accounts.
🔍 How to Verify
Check if Vulnerable:
Check Keycloak version via admin console or by examining server logs. If version is between 12.0.0 and 15.1.0 inclusive, the system is vulnerable.Check Version:
Check Keycloak server logs for version information or use: curl -s http://localhost:8080/auth/realms/master/.well-known/openid-configuration | grep -o '"version":"[^"]*"'Verify Fix Applied:
After patching, attempt to create a user via REST API with a non-admin account - this should fail with proper authorization error.📡 Detection & Monitoring
Log Indicators:
- User creation events from non-admin accounts in Keycloak audit logs
- Failed authorization attempts on admin REST endpoints
Network Indicators:
- POST requests to /auth/admin/realms/*/users from non-admin IP addresses
SIEM Query:
source="keycloak" AND event_type="CREATE_USER" AND user_role!="admin"🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=2033602
- https://github.com/keycloak/keycloak/issues/9247
- https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2033602
- https://github.com/keycloak/keycloak/issues/9247
- https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487
- https://www.oracle.com/security-alerts/cpuapr2022.html
