CVE-2024-23656
published 2024-01-25CVE-2024-23656: Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.43%
34.8th percentile
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dexidp | dex | — | — |
| github.com | dexidp_dex | >= 0 < 0.0.0-20240125115555-5bbdb4420254 | 0.0.0-20240125115555-5bbdb4420254 |
| github.com | dexidp_dex | >= 2.37.0 < 2.38.0 | 2.38.0 |
| linuxfoundation | dex | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex
osv·2024-06-28
CVE-2024-23656 Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex
Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex
Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/dexidp/dex from v2.37.0 before v2.38.0.
OSV
Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers
osv·2024-01-26
CVE-2024-23656 [HIGH] Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers
Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers
### Summary
Dex 2.37.0 is serving HTTPS with insecure TLS 1.0 and TLS 1.1.
### Details
While working on https://github.com/dexidp/dex/issues/2848 and implementing configurable TLS support, I noticed my changes did not have any effect in TLS config, so I started investigating.
https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425 is seemingly setting TLS 1.2 as minimum version, but the whole tlsConfig is ignored after "TLS cert reloader" was introduced in https://github.com/dexidp/dex/pull/2964. Configured cipher suites are not respected either, as seen on the output.
### PoC
Build Dex, generate certs with `gencert.sh`, modify `config.dev.yaml` to run on h
GHSA
Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers
ghsa·2024-01-26
CVE-2024-23656 [HIGH] CWE-326 Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers
Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers
### Summary
Dex 2.37.0 is serving HTTPS with insecure TLS 1.0 and TLS 1.1.
### Details
While working on https://github.com/dexidp/dex/issues/2848 and implementing configurable TLS support, I noticed my changes did not have any effect in TLS config, so I started investigating.
https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425 is seemingly setting TLS 1.2 as minimum version, but the whole tlsConfig is ignored after "TLS cert reloader" was introduced in https://github.com/dexidp/dex/pull/2964. Configured cipher suites are not respected either, as seen on the output.
### PoC
Build Dex, generate certs with `gencert.sh`, modify `config.dev.yaml` to run on h
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17https://github.com/dexidp/dex/issues/2848https://github.com/dexidp/dex/pull/2964https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9rhttps://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425https://github.com/dexidp/dex/commit/5bbdb4420254ba73b9c4df4775fe7bdacf233b17https://github.com/dexidp/dex/issues/2848https://github.com/dexidp/dex/pull/2964https://github.com/dexidp/dex/security/advisories/GHSA-gr79-9v6v-gc9r
2024-01-25
Published