CVE-2024-10125
📋 TL;DR
This vulnerability in the AWS ALB Identity ASP.NET Core middleware allows attackers to forge valid OIDC sessions when infrastructure is misconfigured. It affects deployments using the deprecated awslabs/aws-alb-identity-aspnetcore repository with internet-facing ALB targets. The middleware validates JWT signatures but fails to verify the issuer and signer identity, enabling session impersonation.
💻 Affected Systems
- awslabs/aws-alb-identity-aspnetcore
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover and unauthorized access to backend services through forged OIDC sessions, potentially leading to data exfiltration, privilege escalation, and lateral movement.
Likely Case
Session hijacking and unauthorized access to applications behind misconfigured ALBs, allowing attackers to impersonate legitimate users.
If Mitigated
Minimal impact if ALB targets are not internet-facing and proper network segmentation is implemented.
🎯 Exploit Status
Exploitation requires ability to sign JWTs and access to misconfigured infrastructure. No public exploit code known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://aws.amazon.com/security/security-bulletins/AWS-2024-012/
Restart Required: No
Instructions:
The repository is deprecated and end-of-life. Remove the package and implement alternative OIDC validation with proper issuer/signer checks.
🔧 Temporary Workarounds
Remove Public Access to ALB Targets
allEnsure ALB targets (EC2, Fargate, ECS, EKS, Lambda) do not have public IP addresses or internet access.
# Review and modify security groups and network ACLs to restrict public access
# Use VPC endpoints and private subnets for ALB targets
Implement Custom JWT Validation
allReplace the vulnerable middleware with custom JWT validation that checks issuer and signer ARN matches the configured ALB.
# Implement JWT validation with issuer verification
# Validate 'signer' attribute matches ALB ARN
🧯 If You Can't Patch
- Isolate ALB targets in private subnets with no internet access
- Implement network monitoring for suspicious JWT validation attempts
🔍 How to Verify
Check if Vulnerable:
Check if your application uses the awslabs/aws-alb-identity-aspnetcore package and if ALB targets have public IPs.Check Version:
Check package references in .csproj files or NuGet package manager for 'Amazon.ApplicationLoadBalancer.Identity.AspNetCore'Verify Fix Applied:
Verify the package is removed and ALB targets are not internet-facing. Test JWT validation includes issuer and signer checks.📡 Detection & Monitoring
Log Indicators:
- Failed JWT validation logs without issuer/signer checks
- Unusual OIDC session patterns from unexpected IPs
Network Indicators:
- External traffic directly to ALB target IPs
- JWT validation requests from unauthorized sources
SIEM Query:
Search for authentication events where JWT validation succeeds but issuer/signer validation is missing