mTLS: when certificate authentication done wrong

Presented at DEF CON 31 (2023), Aug. 11, 2023, 11 a.m. (20 minutes).

Although x509 certificates have been here for a while, they have become more popular for client authentication in zero-trust networks in recent years. Mutual TLS, or authentication based on X509 certificates in general, brings advantages compared to passwords or tokens, but you get increased complexity in return. In this talk, we’ll deep dive into some novel attacks on mTLS authentication. We won’t bother you with heavy crypto stuff, but instead we’ll have a look at implementation vulnerabilities and how developers can make their mTLS systems vulnerable to user impersonation, privilege escalation and information leakages. We present some CVEs we found in popular open-source identity servers and ways to exploit them. Finally, we’ll explain how these vulnerabilities can be spotted in source code and how the safe code looks like. REFERENCES: 1) Wikipedia: Mutual Authentication (mTLS) https://en.wikipedia.org/wiki/Mutual_authentication#mTLS 2) Java: Possible RCEs in X.509 certificate validation [CVE-2018-2633][CVE-2017-10116] https://mbechler.github.io/2018/01/20/Java-CVE-2018-2633/

Presenters:

  • Michael Stepankin - Security Researcher at GitHub
    Michael 'artsploit' Stepankin is a researcher at GitHub Security Lab. He joined the team to put his offensive security mindset to the test, uncovering complex vulnerabilities in open source web applications. He specializes in the Java Enterprise stack, covering a wide range of security topics from insecure deserialization and XXEs, to logical bugs in OAuth systems. He's published a number of works throughout his employment as a researcher, including new ways to exploit JNDI injections, attacks on Apache Solr, and finding hidden Remote Code Executions in the Spring framework.

Links:

Similar Presentations: