CVE-2023-40545 – This vulnerability allows attackers to bypass a... (How to Fix)

Q: What is the severity of CVE-2023-40545?

CVE-2023-40545 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers to bypass authentication in PingFederate OAuth2 clients using client_secret_jwt authentication. Attackers can send specially crafted requests to gain unauthorized access to protected resources. This affects PingFederate 11.3 installations with OAuth2 clients configured to use client_secret_jwt authentication.

📋 TL;DR

This vulnerability allows attackers to bypass authentication in PingFederate OAuth2 clients using client_secret_jwt authentication. Attackers can send specially crafted requests to gain unauthorized access to protected resources. This affects PingFederate 11.3 installations with OAuth2 clients configured to use client_secret_jwt authentication.

💻 Affected Systems

Products:

PingFederate

Versions: 11.3.x versions

Operating Systems: All supported platforms

Default Config Vulnerable: ✅ No

Notes: Only affects configurations where OAuth2 clients use client_secret_jwt authentication method. Other authentication methods are not vulnerable.

📦 What is this software?

Pingfederate by Pingidentity

View all CVEs affecting Pingfederate →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of OAuth2-protected applications and data, allowing attackers to impersonate legitimate users and access sensitive resources.

🟠

Likely Case

Unauthorized access to applications and APIs protected by vulnerable PingFederate instances, potentially leading to data breaches.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, but still represents a significant authentication bypass risk.

🌐 Internet-Facing: HIGH - OAuth2 endpoints are typically internet-facing, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability allows unauthenticated exploitation via specially crafted requests, making it relatively easy to exploit once the technique is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.3.2 or later

Vendor Advisory: https://support.pingidentity.com/s/article/SECADV040-PingFederate-OAuth-Client-Authentication-Bypass

Restart Required: Yes

Instructions:

1. Download PingFederate 11.3.2 or later from Ping Identity downloads page. 2. Backup current configuration and data. 3. Apply the update following PingFederate upgrade procedures. 4. Restart PingFederate services.

🔧 Temporary Workarounds

Disable client_secret_jwt authentication

all

Temporarily switch OAuth2 clients to use alternative authentication methods like client_secret_basic or private_key_jwt

Network isolation

all

Restrict access to PingFederate OAuth endpoints using firewall rules or network segmentation

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the PingFederate OAuth endpoints
Enable detailed logging and monitoring for authentication attempts and implement alerting for suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check PingFederate version and verify if any OAuth2 clients are configured with client_secret_jwt authentication method.

Check Version:

Check PingFederate admin console or server logs for version information, or run: java -jar pf-startup.jar --version (from PingFederate bin directory)

Verify Fix Applied:

Verify PingFederate version is 11.3.2 or later and test OAuth2 client authentication with client_secret_jwt to ensure proper validation.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful authentication with unusual patterns
Multiple authentication requests from single source with varying parameters
Authentication logs showing successful client_secret_jwt validation with unusual timing

Network Indicators:

Unusual traffic patterns to /as/token.oauth2 or other OAuth endpoints
Requests with malformed or manipulated JWT tokens

SIEM Query:

source="pingfederate" AND (event_type="authentication" OR event_type="oauth") AND (status="success" AND client_auth_method="client_secret_jwt") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2023-40545

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: February 6, 2024

Last Updated: November 21, 2024

🔗 References

https://docs.pingidentity.com/r/en-us/pingfederate-113/hro1701116403236 Release Notes
https://support.pingidentity.com/s/article/SECADV040-PingFederate-OAuth-Client-Authentication-Bypass Permissions Required
https://www.pingidentity.com/en/resources/downloads/pingfederate/previous-releases.html Release Notes
https://docs.pingidentity.com/r/en-us/pingfederate-113/hro1701116403236 Release Notes
https://support.pingidentity.com/s/article/SECADV040-PingFederate-OAuth-Client-Authentication-Bypass Permissions Required
https://www.pingidentity.com/en/resources/downloads/pingfederate/previous-releases.html Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40545, you might also want to check these: