OpenRemote Keycloak Cross-Realm Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in OpenRemote versions prior to 1.22.1. The issue arises in the Manager API, where a user with the 'write:admin' role in one Keycloak realm can update realm roles for users in another realm, including the 'master' realm. This vulnerability exists because the API does not properly verify if the caller has the authority to administer the targeted realm. As a result, an attacker could potentially escalate privileges to become a 'master' realm administrator, especially if they have control over a user in the 'master' realm.

Impact

Exploitation of this vulnerability allows an attacker to gain Keycloak administrator access in the 'master' realm by improperly assigning admin roles to users.

Reproduction

To reproduce this vulnerability, create a new Keycloak realm (referred to as 'NEW_REALM') and grant a user the 'write:admin' role. Then, authenticate as this user to obtain a Bearer token. With this token, send a request to the Manager API to update the realm roles of a low-privilege user in the 'master' realm, assigning them the admin role. After the request is processed, the targeted user will have admin privileges in the 'master' realm, demonstrating the successful exploitation of the vulnerability.

Remediation

Users are advised to update OpenRemote to version 1.22.1 or later, where this vulnerability has been fixed.