CVE-2023-34196
📋 TL;DR
This vulnerability in Keyfactor EJBCA allows unauthenticated or less privileged users to access CA certificates (including attributes and public keys) when OAuth is configured, potentially leading to partial denial of service. It affects EJBCA installations before version 8.0.0 that use OAuth authentication.
💻 Affected Systems
- Keyfactor EJBCA
📦 What is this software?
Ejbca by Keyfactor
⚠️ Risk & Real-World Impact
Worst Case
Attackers could obtain CA certificates and public keys, enabling them to impersonate the CA, issue fraudulent certificates, or conduct man-in-the-middle attacks against systems trusting these certificates.
Likely Case
Unauthorized disclosure of CA certificate information, potentially enabling reconnaissance for further attacks or causing service disruption through certificate distribution endpoint abuse.
If Mitigated
Limited information disclosure with no direct system compromise if proper network segmentation and monitoring are in place.
🎯 Exploit Status
Exploitation requires access to the /ejbca/ra/cert endpoint and OAuth configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.0 or later
Restart Required: Yes
Instructions:
1. Backup your EJBCA installation and database. 2. Upgrade to EJBCA version 8.0.0 or later. 3. Restart the EJBCA application server. 4. Verify the fix by testing the /ejbca/ra/cert endpoint with unauthenticated requests.
🔧 Temporary Workarounds
Disable OAuth Authentication
allTemporarily switch to alternative authentication methods until patching is possible.
Modify EJBCA configuration to use non-OAuth authentication methods
Restrict Access to /ejbca/ra/cert
allUse network controls or web application firewall rules to limit access to the vulnerable endpoint.
Configure firewall/WAF rules to restrict access to /ejbca/ra/cert to authorized users only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate EJBCA servers from untrusted networks
- Enable detailed logging and monitoring for unauthorized access attempts to the /ejbca/ra/cert endpoint
🔍 How to Verify
Check if Vulnerable:
Check if EJBCA version is below 8.0.0 and OAuth is configured, then attempt unauthenticated access to https://[ejbca-server]/ejbca/ra/certCheck Version:
Check EJBCA admin interface or application logs for version informationVerify Fix Applied:
After upgrading to 8.0.0+, verify that unauthenticated requests to /ejbca/ra/cert return proper authentication errors📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to /ejbca/ra/cert endpoint
- Multiple failed authentication attempts followed by successful certificate access
Network Indicators:
- Unusual traffic patterns to /ejbca/ra/cert from unauthorized IP addresses
- Certificate downloads from unauthenticated sessions
SIEM Query:
source="ejbca.log" AND (uri="/ejbca/ra/cert" AND (status=200 OR auth_failure))🔗 References
- https://keyfactor.com
- https://support.keyfactor.com/hc/en-us/articles/16671824556827-EJBCA-Security-Advisory-Partial-denial-of-service-attack-on-certificate-distribution-servlet-ejbca-ra-cert
- https://keyfactor.com
- https://support.keyfactor.com/hc/en-us/articles/16671824556827-EJBCA-Security-Advisory-Partial-denial-of-service-attack-on-certificate-distribution-servlet-ejbca-ra-cert
