CVE-2024-41952
📋 TL;DR
This vulnerability in Zitadel identity management system allows attackers to enumerate valid usernames when the 'Ignoring unknown usernames' security feature is enabled. Due to a database deadlock prevention change, the system sometimes returns 'object not found' errors instead of generic 'Username or Password invalid' messages, revealing whether accounts exist. This affects all Zitadel administrators who have enabled the username obfuscation feature.
💻 Affected Systems
- Zitadel
📦 What is this software?
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
⚠️ Risk & Real-World Impact
Worst Case
Attackers can enumerate all valid usernames in the system, enabling targeted credential stuffing, phishing, or social engineering attacks against identified users.
Likely Case
Attackers can perform username enumeration to identify valid accounts, then conduct password spraying or targeted brute-force attacks against those accounts.
If Mitigated
With proper monitoring and rate limiting, impact is limited to information disclosure about account existence without direct access compromise.
🎯 Exploit Status
Exploitation requires only sending authentication requests and observing error message differences. No special tools or authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.58.1, 2.57.1, 2.56.2, 2.55.5, 2.54.8, or 2.53.9
Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories
Restart Required: Yes
Instructions:
1. Identify your current Zitadel version. 2. Upgrade to the appropriate patched version for your release line. 3. Restart Zitadel services. 4. Verify the fix by testing authentication with non-existent usernames.
🔧 Temporary Workarounds
Disable 'Ignoring unknown usernames' feature
allTemporarily disable the vulnerable security feature until patching is complete
zitadel admin settings update --ignore-unknown-usernames=false
🧯 If You Can't Patch
- Implement strict rate limiting on authentication endpoints to prevent automated username enumeration
- Deploy a WAF or reverse proxy to normalize error messages and mask 'object not found' responses
🔍 How to Verify
Check if Vulnerable:
Enable 'Ignoring unknown usernames' setting, then attempt authentication with a non-existent username. If response contains 'object not found' instead of generic error, system is vulnerable.Check Version:
zitadel versionVerify Fix Applied:
After patching, test with non-existent username. Should always return generic 'Username or Password invalid' error regardless of username existence.📡 Detection & Monitoring
Log Indicators:
- Multiple 'object not found' errors in authentication logs
- Unusual patterns of failed login attempts with varied usernames
Network Indicators:
- High volume of authentication requests to /oauth/token or /auth endpoints
- Pattern of failed auth requests followed by successful logins
SIEM Query:
source="zitadel" AND (message="object not found" OR error="object not found") | stats count by src_ip, user🔗 References
- https://github.com/zitadel/zitadel/commit/0ab0c645ef914298c343fa39cccb1290aba48bf6
- https://github.com/zitadel/zitadel/commit/3c7d12834e32426416235b9e3374be0f4b9380b8
- https://github.com/zitadel/zitadel/commit/5c2526c98aafd1ba206be2fa4291b1d24c384f6d
- https://github.com/zitadel/zitadel/commit/8565d24fd8df5bd35294313cfbfcc2e15aea20e9
- https://github.com/zitadel/zitadel/commit/b0e71a81ef39667ce2a149ce037c1ca0edbe059d
- https://github.com/zitadel/zitadel/commit/fc1d415b8db5b8d481bb65206ce3fc944c0eecea
- https://github.com/zitadel/zitadel/releases/tag/v2.53.9
- https://github.com/zitadel/zitadel/releases/tag/v2.54.8
- https://github.com/zitadel/zitadel/releases/tag/v2.55.5
- https://github.com/zitadel/zitadel/releases/tag/v2.56.2
- https://github.com/zitadel/zitadel/releases/tag/v2.57.1
- https://github.com/zitadel/zitadel/releases/tag/v2.58.1
- https://github.com/zitadel/zitadel/security/advisories/GHSA-567v-6hmg-6qg7
