CVE-2024-21643 – This vulnerability in Microsoft.IdentityModel a... (How to Fix)

Q: What is the severity of CVE-2024-21643?

CVE-2024-21643 has a CVSS score of 7.1 (HIGH). This vulnerability in Microsoft.IdentityModel allows attackers to make arbitrary HTTP GET requests by exploiting trust in the 'jku' claim within SignedHttpRequest protocol. It affects .NET applications using SignedHttpRequest or SignedHttpRequestValidator with vulnerable versions of Microsoft.IdentityModel extensions.

📋 TL;DR

This vulnerability in Microsoft.IdentityModel allows attackers to make arbitrary HTTP GET requests by exploiting trust in the 'jku' claim within SignedHttpRequest protocol. It affects .NET applications using SignedHttpRequest or SignedHttpRequestValidator with vulnerable versions of Microsoft.IdentityModel extensions.

💻 Affected Systems

Products:

Microsoft.IdentityModel.Protocols.SignedHttpRequest
Microsoft.IdentityModel extensions for .NET

Versions: All versions before 6.34.0 (6.x) and before 7.1.2 (7.x)

Operating Systems: Windows, Linux, macOS - any OS running .NET applications with affected libraries

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using SignedHttpRequest protocol or SignedHttpRequestValidator. Default configuration trusts jku claim.

📦 What is this software?

Identitymodel Extensions by Microsoft

View all CVEs affecting Identitymodel Extensions →

Identitymodel Extensions by Microsoft

View all CVEs affecting Identitymodel Extensions →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Server-side request forgery (SSRF) enabling internal network reconnaissance, data exfiltration, or chaining with other vulnerabilities for remote code execution.

🟠

Likely Case

Unauthorized HTTP requests to internal services, potential data leakage, or denial of service through resource exhaustion.

🟢

If Mitigated

Limited impact if network segmentation restricts internal HTTP access and external requests are monitored.

🌐 Internet-Facing: HIGH - Exploitable remotely via crafted SignedHttpRequest tokens targeting internet-facing applications.

🏢 Internal Only: MEDIUM - Internal applications could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to craft SignedHttpRequest tokens with malicious jku claims. Exploitation depends on application's token validation implementation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.34.0 or higher for 6.x, 7.1.2 or higher for 7.x

Vendor Advisory: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/security/advisories/GHSA-rv9j-c866-gp5h

Restart Required: Yes

Instructions:

1. Identify all applications using Microsoft.IdentityModel. 2. Update NuGet packages to Microsoft.IdentityModel.Protocols.SignedHttpRequest >=6.34.0 (6.x) or >=7.1.2 (7.x). 3. Update all dependent packages. 4. Rebuild and redeploy applications. 5. Restart application services.

🔧 Temporary Workarounds

Disable jku claim validation

all

Configure SignedHttpRequestValidator to not trust jku claims by default

// C# configuration example:
// In your token validation parameters:
// SignedHttpRequestValidationParameters.RequireSignedHttpRequest = true;
// SignedHttpRequestValidationParameters.ValidateJku = false;

🧯 If You Can't Patch

Implement network controls to restrict outbound HTTP requests from affected applications
Deploy web application firewall (WAF) rules to detect and block malicious jku claim patterns

🔍 How to Verify

Check if Vulnerable:

Check project dependencies for Microsoft.IdentityModel.Protocols.SignedHttpRequest version <6.34.0 (6.x) or <7.1.2 (7.x) using NuGet package manager or examining .csproj files.

Check Version:

dotnet list package --include-transitive | findstr Microsoft.IdentityModel.Protocols.SignedHttpRequest

Verify Fix Applied:

Confirm updated packages show version >=6.34.0 (6.x) or >=7.1.2 (7.x) in package references and validate application functionality with SignedHttpRequest.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP outbound requests from application servers
Failed SignedHttpRequest validations with external jku URLs
High volume of token validation requests

Network Indicators:

HTTP GET requests to unexpected internal/external endpoints from application servers
Patterns matching jku claim exploitation

SIEM Query:

source="application_logs" AND (message CONTAINS "jku" OR message CONTAINS "SignedHttpRequest") AND (status="failed" OR url="internal_network")

📊 Metadata

CVE ID: CVE-2024-21643

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE: CWE-94

Published: January 10, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/6.34.0 Release Notes
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/7.1.2 Release Notes
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/security/advisories/GHSA-rv9j-c866-gp5h Vendor Advisory
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/jkucve Mitigation,Third Party Advisory
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/6.34.0 Release Notes
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases/tag/7.1.2 Release Notes
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/security/advisories/GHSA-rv9j-c866-gp5h Vendor Advisory
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/jkucve Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-21643, you might also want to check these: