CVE-2024-39694
📋 TL;DR
Duende IdentityServer contains an open redirect vulnerability where attackers can craft malicious URLs that are incorrectly treated as local and trusted. When these URLs are returned as redirects, browsers may follow them to third-party sites, enabling phishing attacks. This affects all Duende IdentityServer versions before the patched releases.
💻 Affected Systems
- Duende IdentityServer
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Successful phishing campaigns leading to credential theft and account compromise through convincing redirects to malicious sites.
Likely Case
Phishing attacks where users are redirected to fake login pages, potentially capturing credentials if users are tricked.
If Mitigated
No impact if proper URL validation is implemented or patches are applied.
🎯 Exploit Status
Exploitation requires crafting malicious URLs but no authentication is needed. The vulnerability is straightforward to exploit for phishing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.6, 6.3.10, 6.2.5, 6.1.8, or 6.0.5
Vendor Advisory: https://github.com/DuendeSoftware/IdentityServer/commit/269ca2171fe1e901c87f2f0797bbc7c230db87c6
Restart Required: Yes
Instructions:
1. Identify your Duende IdentityServer version. 2. Upgrade to the appropriate patched version: 7.x to 7.0.6, 6.3.x to 6.3.10, 6.2.x to 6.2.5, 6.1.x to 6.1.8, or 6.0.x to 6.0.5. 3. Restart the application.
🔧 Temporary Workarounds
Implement IUrlHelper.IsLocalUrl Validation
allManually validate return URLs in user interface code using ASP.NET Core's IUrlHelper.IsLocalUrl method to ensure only local URLs are trusted.
🧯 If You Can't Patch
- Implement the IUrlHelper.IsLocalUrl workaround in all user interface code that processes redirect URLs.
- Monitor logs for suspicious redirect patterns and implement web application firewall rules to block known malicious redirect patterns.
🔍 How to Verify
Check if Vulnerable:
Check your Duende IdentityServer version. If it's earlier than the patched versions listed, you are vulnerable.Check Version:
Check the package version in your project file or runtime version via application logs.Verify Fix Applied:
After upgrading, verify the version matches one of the patched releases and test that crafted malicious URLs are no longer treated as local.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns to external domains from IdentityServer endpoints
- Multiple failed redirect attempts with malformed URLs
Network Indicators:
- HTTP 302 redirects to unexpected external domains from IdentityServer
SIEM Query:
source="IdentityServer" AND (http_status=302 OR http_status=301) AND url CONTAINS "http://" OR url CONTAINS "https://" AND NOT url CONTAINS "expected-domain.com"🔗 References
- https://github.com/DuendeSoftware/IdentityServer/commit/269ca2171fe1e901c87f2f0797bbc7c230db87c6
- https://github.com/DuendeSoftware/IdentityServer/commit/765116a2d4fb0671b6eba015e698533900c61c8e
- https://github.com/DuendeSoftware/IdentityServer/commit/d0d8eab35ad9183b14925496803ed8b36658d0a1
- https://github.com/DuendeSoftware/IdentityServer/commit/f04cf0be859b93f43563f8f812eb92206ad94011
- https://github.com/DuendeSoftware/IdentityServer/commit/fe817b499933d6ed6141b153492d7335c28b184a
- https://github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-ff4q-64jc-gx98
