Keycloak WebAuthn Token Replay Vulnerability Allowing Account Takeover

A vulnerability in Keycloak's WebAuthn flow allows remote attackers to replay 'ExecuteActionsActionToken' tokens, leading to unauthorized enrollment of hardware-backed credentials and persistent account takeover. This issue arises because the 'canUseTokenRepeatedly()' function incorrectly treats certain tokens as reusable, allowing interception of execute-actions email links to register authenticators on victims' accounts. Exploitation requires WebAuthn actions to be enabled and the email link to be compromised.

Impact

Exploitation of this vulnerability allows for unauthorized WebAuthn registration on a victim's account, using the attacker's authenticator. This leads to account takeover, as the attacker can access the account without the victim's knowledge.

Remediation

To mitigate this vulnerability, consider disabling WebAuthn required actions in Keycloak if they are not essential for your deployment. Consult the Keycloak documentation for specific steps to disable WebAuthn required actions. Note that applying configuration changes may require a service restart and could impact functionality that relies on WebAuthn registration.