BIT-kafka-2024-56128
Incorrect Authentication Algorithm Implementation vulnerability in kafka_2.13 (Maven)
What is BIT-kafka-2024-56128 About?
This vulnerability affects Apache Kafka's SCRAM implementation due to an incorrect nonce validation in its algorithm, failing to comply with RFC 5802. While exploitable only if SCRAM is used over plaintext communication, it could allow an attacker to bypass authentication. Exploitation is difficult and mitigated by using TLS.
Affected Software
- org.apache.kafka:kafka_2.13
- >3.8.0, <3.8.1
- >0.10.2.0, <3.7.2
- org.apache.kafka:kafka_2.12
- >3.8.0, <3.8.1
- >0.10.2.0, <3.7.2
- org.apache.kafka:kafka_2.11
- >0.10.2.0, <=2.4.1
- org.apache.kafka:kafka_2.10
- >0.10.2.0, <=0.10.2.2
Technical Details
Apache Kafka's SCRAM implementation, in versions 0.10.2.0 through 3.9.0 (excluding fixed versions), did not fully adhere to RFC 5802. Specifically, the server failed to verify that the nonce sent by the client in the second authentication message matched the nonce originally sent by the server in its first message. This omission in nonce validation could theoretically be exploited by an attacker who has plaintext access to the SCRAM authentication exchange. However, Kafka strongly discourages using SCRAM over plaintext and recommends TLS encryption to protect these exchanges, effectively mitigating the vulnerability for properly configured deployments. The issue was addressed by introducing explicit nonce verification in the final message of the SCRAM authentication exchange.
What is the Impact of BIT-kafka-2024-56128?
Successful exploitation may allow attackers to bypass SCRAM authentication if the protocol is used over an unprotected plaintext channel, leading to unauthorized access to Kafka brokers.
What is the Exploitability of BIT-kafka-2024-56128?
Exploitation of this vulnerability is highly constrained and difficult. It is only exploitable when Apache Kafka's SCRAM authentication is used over plaintext communication channels, without TLS encryption. If TLS is enabled, the vulnerability is mitigated as the authentication exchange would be protected from interception. Therefore, an attacker would need to intercept the SCRAM authentication exchange, which is only possible without TLS. No specific authentication within Kafka is required to exploit this, but the vulnerability targets the authentication mechanism itself. This is a remote exploitation scenario, focusing on network interception. The primary prerequisite is an insecure deployment of SCRAM without TLS. Deployments using SASL_PLAINTEXT listeners are at risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-kafka-2024-56128?
Available Upgrade Options
- org.apache.kafka:kafka_2.12
- >0.10.2.0, <3.7.2 → Upgrade to 3.7.2
- org.apache.kafka:kafka_2.12
- >3.8.0, <3.8.1 → Upgrade to 3.8.1
- org.apache.kafka:kafka_2.13
- >0.10.2.0, <3.7.2 → Upgrade to 3.7.2
- org.apache.kafka:kafka_2.13
- >3.8.0, <3.8.1 → Upgrade to 3.8.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/84dh4so32lwn7wr6c5s9mwh381vx9wkw
- https://datatracker.ietf.org/doc/html/rfc5802#section-9
- https://lists.apache.org/thread/84dh4so32lwn7wr6c5s9mwh381vx9wkw
- https://nvd.nist.gov/vuln/detail/CVE-2024-56128
- https://github.com/apache/kafka/commit/2cbc5bd3ca22185d9cd357c9db23a2cfb43a0fff
- https://github.com/apache/kafka
- https://datatracker.ietf.org/doc/html/rfc5802#section-9
- https://datatracker.ietf.org/doc/html/rfc5802
- https://kafka.apache.org/documentation/#security_sasl_scram_security
- https://datatracker.ietf.org/doc/html/rfc5802
What are Similar Vulnerabilities to BIT-kafka-2024-56128?
Similar Vulnerabilities: CVE-2023-34042 , CVE-2022-26154 , CVE-2023-28709 , CVE-2022-23094 , CVE-2021-39230
