NeuVector OpenID Connect Man-in-the-Middle Vulnerability

A man-in-the-middle vulnerability has been identified in NeuVector's OpenID Connect authentication feature. The issue arises because TLS verification, which is crucial for ensuring the authenticity and integrity of the remote server, is not enforced by default. This oversight can expose the system to potential MITM attacks. While versions 5.4.0 and above include support for TLS verification in OpenID Connect, the feature is disabled by default. Users must manually enable it through the NeuVector UI.

Impact

The lack of enforced TLS verification in OpenID Connect authentication can lead to man-in-the-middle attacks, allowing an attacker to intercept and potentially alter communications between the client and the authentication server.

Remediation

To address this vulnerability, users can upgrade to NeuVector version 5.4.8 or later, where TLS verification is enabled by default. For those using rolling upgrades, it is recommended to manually enable TLS verification in the NeuVector UI under 'Settings > Configuration'.