CVE-2024-37905
📋 TL;DR
This vulnerability in authentik's API-Access-Token mechanism allows attackers to escalate privileges to full admin access. Any authentik instance running vulnerable versions is affected, enabling attackers to reset user passwords and perform administrative actions. The issue stems from improper access control in the token mechanism.
💻 Affected Systems
- authentik
📦 What is this software?
Authentik by Goauthentik
Authentik by Goauthentik
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the authentik identity provider, allowing attackers to reset any user's password, modify authentication flows, and potentially gain access to all connected applications.
Likely Case
Unauthorized administrative access leading to user account compromise, privilege escalation for existing users, and potential lateral movement to connected systems.
If Mitigated
Limited impact if network segmentation restricts access to authentik administration interfaces and strong authentication is required for administrative functions.
🎯 Exploit Status
Exploitation requires some level of access to the authentik instance but the vulnerability is in a core authentication mechanism.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.2.4, 2024.4.2, or 2024.6.0
Vendor Advisory: https://github.com/goauthentik/authentik/security/advisories/GHSA-c78c-2r9w-p7x4
Restart Required: Yes
Instructions:
1. Backup your authentik configuration and database. 2. Update to version 2024.2.4, 2024.4.2, or 2024.6.0 using your deployment method (Docker, Kubernetes, etc.). 3. Restart the authentik services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict API Access
allLimit network access to authentik API endpoints to trusted IP addresses only
Use firewall rules to restrict access to authentik API ports (typically 9000)
Disable Unnecessary API Tokens
allReview and remove any unnecessary API access tokens
Review authentik admin interface for active API tokens and remove unused ones
🧯 If You Can't Patch
- Implement strict network segmentation to isolate authentik from untrusted networks
- Enable detailed logging and monitoring for suspicious API token usage and privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check authentik version via admin interface or API. If version is below 2024.2.4, 2024.4.2, or 2024.6.0, it is vulnerable.Check Version:
docker exec authentik authentik version (for Docker) or check admin interface at /if/admin/#/admin/overviewVerify Fix Applied:
Confirm version is 2024.2.4, 2024.4.2, or 2024.6.0 or higher. Test API token functionality to ensure proper access controls are enforced.📡 Detection & Monitoring
Log Indicators:
- Unusual API token usage patterns
- Multiple failed authentication attempts followed by successful admin access
- User privilege escalation events
Network Indicators:
- Unusual API requests to token endpoints
- Requests from unexpected IP addresses to admin endpoints
SIEM Query:
source="authentik" AND (event="token_created" OR event="user_permission_changed") | stats count by user, src_ip🔗 References
- https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4
- https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3
- https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0
- https://github.com/goauthentik/authentik/security/advisories/GHSA-c78c-2r9w-p7x4
- https://github.com/goauthentik/authentik/releases/tag/version%2F2024.2.4
- https://github.com/goauthentik/authentik/releases/tag/version%2F2024.4.3
- https://github.com/goauthentik/authentik/releases/tag/version%2F2024.6.0
- https://github.com/goauthentik/authentik/security/advisories/GHSA-c78c-2r9w-p7x4
