CVE-2021-3827 Overview
A critical authentication bypass vulnerability was discovered in Red Hat Keycloak, where the default ECP (Enhanced Client or Proxy) binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass Multi-Factor Authentication (MFA) by sending a SOAP request with an AuthnRequest and Authorization header containing the user's credentials. This vulnerability represents a significant security risk as it undermines the fundamental security controls organizations rely on for protecting sensitive resources.
Critical Impact
Attackers can bypass MFA authentication controls in Keycloak by exploiting the ECP binding flow, potentially gaining unauthorized access to protected resources with only basic credentials.
Affected Products
- Red Hat Keycloak (all versions prior to fix)
- Red Hat Single Sign-On 7.0 and 7.5.0
- Red Hat Enterprise Linux 7.0 and 8.0
- Red Hat OpenShift Container Platform 4.8 and 4.9
Discovery Timeline
- 2022-08-23 - CVE CVE-2021-3827 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-3827
Vulnerability Analysis
This vulnerability (CWE-287: Improper Authentication) exists within Keycloak's SAML protocol implementation, specifically in how the ECP binding flow processes authentication requests. The ECP profile is designed to enable non-browser clients to authenticate using SAML, but the default configuration allows it to circumvent other authentication mechanisms that should be enforced.
The flaw allows attackers with valid user credentials to completely bypass additional authentication factors such as OTP (One-Time Password), security keys, or other MFA mechanisms. This is particularly dangerous in enterprise environments where MFA is a critical security control for protecting sensitive applications and data.
The vulnerability requires network access and valid user credentials to exploit, but once those prerequisites are met, an attacker can authenticate as any user without completing the MFA challenge. The impact is primarily on confidentiality and integrity, as attackers could access protected resources and potentially modify data or configurations.
Root Cause
The root cause stems from Keycloak's default configuration enabling the ECP flow for all SAML clients without explicit opt-in. When processing SAML authentication requests via the ECP endpoint, Keycloak did not properly enforce that all configured authentication flows (including MFA) must be completed. The ECP binding processed the basic credentials in the Authorization header and granted access without triggering secondary authentication challenges.
Attack Vector
The attack is network-based and can be executed by any authenticated user with valid credentials. The attacker crafts a SOAP request targeting the ECP endpoint with an embedded SAML AuthnRequest. The request includes an HTTP Authorization header with the victim user's credentials (username and password). When processed by Keycloak, the ECP flow validates the credentials but skips the MFA challenge, issuing a valid SAML assertion that grants access to the target application.
POST /auth/realms/{realm}/protocol/saml/ecp HTTP/1.1
Host: keycloak-server.example.com
Content-Type: application/vnd.paos+xml
Authorization: Basic {base64-encoded-credentials}
<!-- SOAP envelope with AuthnRequest omitted for security -->
The vulnerability is exploitable whenever valid user credentials are available, whether through phishing, credential stuffing, or other means, effectively reducing the security posture to single-factor authentication.
Detection Methods for CVE-2021-3827
Indicators of Compromise
- Unexpected SOAP requests to the /auth/realms/{realm}/protocol/saml/ecp endpoint
- Successful authentications that skip configured MFA flows
- Authorization headers containing Basic authentication in ECP endpoint requests
- SAML assertions issued without corresponding MFA challenge completions
- Anomalous login patterns where users authenticate without expected MFA events
Detection Strategies
- Monitor Keycloak authentication logs for ECP endpoint access patterns
- Implement alerts for SAML assertions issued without MFA event completion
- Audit SAML client configurations for ECP flow enablement status
- Review access logs for Content-Type: application/vnd.paos+xml requests
- Correlate successful logins with missing MFA verification events
Monitoring Recommendations
- Enable verbose logging for SAML authentication events in Keycloak
- Configure SIEM rules to detect ECP endpoint abuse patterns
- Monitor for unusual authentication flows that bypass expected MFA steps
- Track changes to SAML client configurations, especially ECP-related settings
How to Mitigate CVE-2021-3827
Immediate Actions Required
- Review all SAML client configurations and disable ECP flow where not explicitly required
- Apply the latest Keycloak security patches from Red Hat
- Audit recent authentication logs for potential exploitation attempts
- Implement additional network-level controls to restrict ECP endpoint access
Patch Information
Red Hat has addressed this vulnerability by disabling the ECP flow by default for all SAML clients. The fix introduces a new configuration attribute saml.allow.ecp.flow that must be explicitly enabled for clients requiring ECP functionality. Organizations should apply the patched versions immediately.
For detailed patch information, refer to the Red Hat CVE-2021-3827 Advisory, Red Hat Bug Report #2007512, and the GitHub Security Advisory GHSA-4pc7-vqv5-5r3v.
The fix adds explicit ECP flow control in the SAML client configuration:
public boolean allowECPFlow() {
return "true".equals(resolveAttribute(SamlConfigAttributes.SAML_ALLOW_ECP_FLOW));
}
public void setAllowECPFlow(boolean val) {
client.setAttribute(SamlConfigAttributes.SAML_ALLOW_ECP_FLOW, Boolean.toString(val));
}
Source: Keycloak Commit Update
The new configuration attribute is defined as:
String SAML_ALLOW_ECP_FLOW = "saml.allow.ecp.flow";
Source: Keycloak Commit Update
Workarounds
- Explicitly disable ECP flow for all SAML clients that do not require it
- Implement network-level access controls to restrict access to the ECP endpoint
- Use web application firewall rules to block or log PAOS content-type requests
- Consider implementing additional authentication controls at the application layer
# Keycloak CLI command to disable ECP flow for a SAML client
/opt/keycloak/bin/kcadm.sh update clients/{client-id} \
-r {realm} \
-s 'attributes."saml.allow.ecp.flow"=false'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
