CVE-2024-21643: IdentityModel Extensions for .NET RCE Flaw

CVE-2024-21643 Overview

CVE-2024-21643 is a Server-Side Request Forgery (SSRF) vulnerability affecting IdentityModel Extensions for .NET, a collection of assemblies for web developers utilizing federated identity providers. The vulnerability exists in the SignedHttpRequest protocol implementation, where the library trusts the jku (JSON Web Key Set URL) claim by default without proper validation. This allows attackers to force the application to make arbitrary HTTP GET requests to remote or local endpoints.

Critical Impact
Attackers with low privileges can exploit the trusted jku claim to perform Server-Side Request Forgery attacks, potentially accessing internal services, exfiltrating sensitive data, or pivoting to other network resources.

Affected Products

Microsoft IdentityModel Extensions for .NET versions prior to 7.1.2 (7.x branch)
Microsoft IdentityModel Extensions for .NET versions prior to 6.34.0 (6.x branch)
Applications using SignedHttpRequest protocol or SignedHttpRequestValidator

Discovery Timeline

2024-01-10 - CVE-2024-21643 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-21643

Vulnerability Analysis

This vulnerability stems from improper trust handling in the SignedHttpRequest protocol implementation within Microsoft.IdentityModel.Protocols.SignedHttpRequest. The jku (JSON Web Key Set URL) claim in a signed HTTP request specifies where the public key can be retrieved to verify the signature. By default, the library trusts this claim without proper validation, creating an SSRF condition.

When processing a signed HTTP request, the SignedHttpRequestValidator automatically fetches the JSON Web Key Set from the URL specified in the jku claim. An attacker can craft a malicious signed request with a jku claim pointing to internal services, cloud metadata endpoints, or other sensitive resources. The server will then make an HTTP GET request to the attacker-controlled URL, potentially exposing internal data or enabling further attacks.

The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), reflecting the risk of code injection through the untrusted claim processing.

Root Cause

The root cause is the default trust behavior for the jku claim in the SignedHttpRequest protocol implementation. The library fails to validate or restrict the URLs that can be specified in the jku claim, allowing any URL to be fetched. This design decision prioritizes convenience over security, as it assumes the jku claim originates from a trusted source.

The vulnerable code path exists in Microsoft.IdentityModel.Protocols.SignedHttpRequest where the SignedHttpRequestValidator processes incoming requests and automatically resolves the key set URL without URL allowlisting or validation.

Attack Vector

The attack vector is network-based and requires low privileges to execute. An authenticated attacker can exploit this vulnerability by:

Crafting a signed HTTP request with a malicious jku claim pointing to an internal endpoint (e.g., cloud metadata services, internal APIs)
Submitting the request to an application using the vulnerable SignedHttpRequestValidator
The application automatically fetches the URL specified in jku, making the HTTP GET request on behalf of the attacker
The response or side effects from this request can leak sensitive information or enable further exploitation

The vulnerability can be exploited to access cloud metadata services (AWS IMDSv1, Azure IMDS), internal microservices, configuration endpoints, or perform port scanning of internal networks. Since the request originates from the trusted application server, it may bypass network-level access controls.

Detection Methods for CVE-2024-21643

Indicators of Compromise

Unusual outbound HTTP GET requests from application servers to internal IP ranges or localhost
HTTP requests to cloud metadata endpoints (e.g., 169.254.169.254) from unexpected sources
Signed HTTP requests containing jku claims pointing to internal or suspicious URLs
Unexpected network connections from .NET application processes to internal services

Detection Strategies

Monitor application logs for SignedHttpRequest validation events with unusual jku URLs
Implement network-level monitoring for outbound connections from application servers to internal IP ranges
Configure Web Application Firewalls (WAF) to inspect and alert on signed requests with suspicious jku claims
Review audit logs for authentication requests containing external or internal URL references in JWT-related claims

Monitoring Recommendations

Enable detailed logging for the IdentityModel library to capture jku claim values during request processing
Set up alerts for outbound HTTP requests from application servers to RFC 1918 private IP ranges
Monitor cloud metadata service access patterns for anomalous requests
Implement network segmentation monitoring to detect lateral movement attempts via SSRF

How to Mitigate CVE-2024-21643

Immediate Actions Required

Update Microsoft.IdentityModel packages to version 7.1.2 or higher for the 7.x branch
Update Microsoft.IdentityModel packages to version 6.34.0 or higher for the 6.x branch
Audit all applications using SignedHttpRequest protocol or SignedHttpRequestValidator
Review network egress rules to restrict outbound connections from application servers

Patch Information

Microsoft has released security patches that address this vulnerability by implementing proper validation of the jku claim. The fixes are available in:

For detailed information about the vulnerability and remediation steps, refer to the GitHub Security Advisory GHSA-rv9j-c866-gp5h and the JKU CVE wiki article.

Workarounds

Implement URL allowlisting at the network level to prevent the application from making requests to internal endpoints
Configure egress firewall rules to block access to cloud metadata services and internal IP ranges
Consider disabling the SignedHttpRequest protocol if not required for your application
Implement a reverse proxy or security gateway that validates jku claims before they reach the application

bash

# Example: Update NuGet packages to patched versions
dotnet add package Microsoft.IdentityModel.Protocols.SignedHttpRequest --version 7.1.2

# For 6.x branch
dotnet add package Microsoft.IdentityModel.Protocols.SignedHttpRequest --version 6.34.0

# Verify installed package versions
dotnet list package --include-transitive | grep -i identitymodel

CVE-2024-21643 Overview

Critical Impact
Attackers with low privileges can exploit the trusted jku claim to perform Server-Side Request Forgery attacks, potentially accessing internal services, exfiltrating sensitive data, or pivoting to other network resources.

Affected Products

Microsoft IdentityModel Extensions for .NET versions prior to 7.1.2 (7.x branch)
Microsoft IdentityModel Extensions for .NET versions prior to 6.34.0 (6.x branch)
Applications using SignedHttpRequest protocol or SignedHttpRequestValidator

Discovery Timeline

2024-01-10 - CVE-2024-21643 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-21643

Vulnerability Analysis

The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), reflecting the risk of code injection through the untrusted claim processing.

Root Cause

Attack Vector

The attack vector is network-based and requires low privileges to execute. An authenticated attacker can exploit this vulnerability by:

Crafting a signed HTTP request with a malicious jku claim pointing to an internal endpoint (e.g., cloud metadata services, internal APIs)
Submitting the request to an application using the vulnerable SignedHttpRequestValidator
The application automatically fetches the URL specified in jku, making the HTTP GET request on behalf of the attacker
The response or side effects from this request can leak sensitive information or enable further exploitation

Detection Methods for CVE-2024-21643

Indicators of Compromise

Unusual outbound HTTP GET requests from application servers to internal IP ranges or localhost
HTTP requests to cloud metadata endpoints (e.g., 169.254.169.254) from unexpected sources
Signed HTTP requests containing jku claims pointing to internal or suspicious URLs
Unexpected network connections from .NET application processes to internal services

Detection Strategies

Monitor application logs for SignedHttpRequest validation events with unusual jku URLs
Implement network-level monitoring for outbound connections from application servers to internal IP ranges
Configure Web Application Firewalls (WAF) to inspect and alert on signed requests with suspicious jku claims
Review audit logs for authentication requests containing external or internal URL references in JWT-related claims

Monitoring Recommendations

Enable detailed logging for the IdentityModel library to capture jku claim values during request processing
Set up alerts for outbound HTTP requests from application servers to RFC 1918 private IP ranges
Monitor cloud metadata service access patterns for anomalous requests
Implement network segmentation monitoring to detect lateral movement attempts via SSRF

How to Mitigate CVE-2024-21643

Immediate Actions Required

Update Microsoft.IdentityModel packages to version 7.1.2 or higher for the 7.x branch
Update Microsoft.IdentityModel packages to version 6.34.0 or higher for the 6.x branch
Audit all applications using SignedHttpRequest protocol or SignedHttpRequestValidator
Review network egress rules to restrict outbound connections from application servers

Patch Information

Microsoft has released security patches that address this vulnerability by implementing proper validation of the jku claim. The fixes are available in:

For detailed information about the vulnerability and remediation steps, refer to the GitHub Security Advisory GHSA-rv9j-c866-gp5h and the JKU CVE wiki article.

Workarounds

Implement URL allowlisting at the network level to prevent the application from making requests to internal endpoints
Configure egress firewall rules to block access to cloud metadata services and internal IP ranges
Consider disabling the SignedHttpRequest protocol if not required for your application
Implement a reverse proxy or security gateway that validates jku claims before they reach the application

bash

# Example: Update NuGet packages to patched versions
dotnet add package Microsoft.IdentityModel.Protocols.SignedHttpRequest --version 7.1.2

# For 6.x branch
dotnet add package Microsoft.IdentityModel.Protocols.SignedHttpRequest --version 6.34.0

# Verify installed package versions
dotnet list package --include-transitive | grep -i identitymodel

CVE-2024-21643: IdentityModel Extensions for .NET RCE Flaw

CVE-2024-21643 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-21643

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-21643

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-21643

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2024-21643: IdentityModel Extensions for .NET RCE Flaw

CVE-2024-21643 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-21643

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-21643

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-21643

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform