CVE-2024-23656 Overview
CVE-2024-23656 affects Dex, an identity service that uses OpenID Connect (OIDC) to drive authentication for other applications. Dex version 2.37.0 serves HTTPS traffic with insecure TLS 1.0 and TLS 1.1 protocols enabled. The vulnerability stems from a regression introduced by the TLS cert reloader feature in v2.37.0, which causes the entire tlsConfig defined at cmd/dex/serve.go line 425 to be ignored at runtime. Configured cipher suites and the minimum TLS version are not respected. Attackers on the network path can downgrade connections and exploit weaknesses in legacy TLS protocols to compromise the confidentiality of authentication traffic.
Critical Impact
Authentication traffic protected by Dex 2.37.0 can be intercepted or decrypted through known weaknesses in TLS 1.0/1.1, exposing OIDC tokens and credentials in transit.
Affected Products
- Linux Foundation Dex 2.37.0
- Deployments relying on Dex for OIDC-based authentication
- Kubernetes and downstream platforms using Dex 2.37.0 as an identity provider
Discovery Timeline
- 2024-01-25 - CVE-2024-23656 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-23656
Vulnerability Analysis
Dex is a federated OIDC provider written in Go. In version 2.37.0 the project introduced a TLS certificate reloader to support hot-reload of certificates without restarting the process. The change replaced the previous server bootstrap path and inadvertently dropped the constructed tls.Config value. As a result, the server accepts connections using Go's default TLS settings, which permit TLS 1.0 and TLS 1.1 and ignore the curated cipher suite list. The weakness is categorized under [CWE-326] Inadequate Encryption Strength. Legacy TLS versions are vulnerable to attacks such as BEAST, POODLE, and Lucky13, allowing attackers in a privileged network position to recover plaintext or session material from intercepted traffic.
Root Cause
The TLS minimum version and cipher suite list were constructed in cmd/dex/serve.go but the reloader code path discarded the tlsConfig struct before passing it to the listener. The compiled-in protection was never applied to live connections.
Attack Vector
An attacker who can observe or intercept HTTPS traffic between clients and the Dex endpoint can attempt to negotiate down to TLS 1.0 or TLS 1.1, then apply known cryptanalytic attacks against the chosen cipher. The flaw is exploitable over the network without authentication or user interaction.
// Security patch in cmd/dex/serve.go - feat: add TLS versions configuration
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
}
allowedTLSVersions := map[string]int{
"1.2": tls.VersionTLS12,
"1.3": tls.VersionTLS13,
}
if c.GRPC.TLSCert != "" {
tlsMinVersion := tls.VersionTLS12
if c.GRPC.TLSMinVersion != "" {
tlsMinVersion = allowedTLSVersions[c.GRPC.TLSMinVersion]
}
tlsMaxVersion := 0 // default for max is whatever Go defaults to
if c.GRPC.TLSMaxVersion != "" {
tlsMaxVersion = allowedTLSVersions[c.GRPC.TLSMaxVersion]
}
baseTLSConfig := &tls.Config{
MinVersion: uint16(tlsMinVersion),
MaxVersion: uint16(tlsMaxVersion),
CipherSuites: allowedTLSCiphers,
PreferServerCipherSuites: true,
}
// Source: https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17
The patch reinstates explicit MinVersion and MaxVersion enforcement and exposes them as configuration fields, ensuring the listener honors the intended TLS policy.
Detection Methods for CVE-2024-23656
Indicators of Compromise
- Successful TLS handshakes against a Dex endpoint negotiating protocol versions TLS 1.0 or TLS 1.1.
- Use of legacy cipher suites such as RC4, 3DES, or CBC-mode ciphers in sessions to Dex listener ports.
- Dex server version banner or container image tag reporting v2.37.0.
Detection Strategies
- Run a TLS scanner such as testssl.sh, sslyze, or nmap --script ssl-enum-ciphers against the Dex HTTPS and gRPC endpoints to enumerate supported protocols.
- Inventory Helm charts, Kubernetes manifests, and container registries for the dexidp/dex:v2.37.0 image tag.
- Inspect TLS session metadata in network monitoring tools for connections to Dex ports completing with TLS 1.0 or TLS 1.1.
Monitoring Recommendations
- Forward Dex access logs and TLS handshake telemetry to a central analytics platform and alert on non-TLS 1.2/1.3 sessions.
- Track Dex pod image digests in CI/CD pipelines and flag any deployment of 2.37.0 across clusters.
- Continuously monitor identity provider endpoints with external TLS posture scanners to identify regressions.
How to Mitigate CVE-2024-23656
Immediate Actions Required
- Upgrade Dex to version 2.38.0 or later, where the TLS configuration is correctly applied to the listener.
- Audit all environments for the dexidp/dex:v2.37.0 image and replace it in Helm releases, Kustomize bases, and GitOps repositories.
- Rotate any OIDC client secrets and signing keys handled by Dex 2.37.0 instances that were exposed to untrusted networks.
Patch Information
The fix landed in the Dex 2.38.0 release commit via pull request #2964. The change re-applies the tls.Config struct to both HTTPS and gRPC listeners and adds TLSMinVersion and TLSMaxVersion configuration keys for web and grpc sections. Full details are available in the Dex GitHub Security Advisory GHSA-gr79-9v6v-gc9r.
Workarounds
- Terminate TLS for Dex at an upstream reverse proxy or service mesh (for example, Envoy, NGINX, or Istio) that enforces TLS 1.2 minimum and a vetted cipher suite list.
- Restrict network exposure of the Dex listener to trusted internal networks using NetworkPolicy or firewall rules until the upgrade is completed.
- Disable legacy TLS at the load balancer layer when direct Dex upgrade is not yet possible.
# Configuration example for Dex 2.38.0+ enforcing modern TLS
web:
http: 0.0.0.0:5556
https: 0.0.0.0:5554
tlsCert: /etc/dex/tls.crt
tlsKey: /etc/dex/tls.key
tlsMinVersion: "1.2"
tlsMaxVersion: "1.3"
grpc:
addr: 0.0.0.0:5557
tlsCert: /etc/dex/tls.crt
tlsKey: /etc/dex/tls.key
tlsMinVersion: "1.2"
tlsMaxVersion: "1.3"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
