{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/openremote-manager/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openremote-manager"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","access-control","openremote"],"_cs_type":"advisory","_cs_vendors":["OpenRemote"],"content_html":"\u003cp\u003eOpenRemote, a digital twin platform, is susceptible to a privilege escalation vulnerability (CVE-2026-41166) affecting versions prior to 1.22.1 of the openremote-manager component. An attacker possessing \u003ccode\u003ewrite:admin\u003c/code\u003e privileges in any Keycloak realm can exploit this flaw to escalate privileges to the \u003ccode\u003emaster\u003c/code\u003e realm. This is achieved by calling the Manager API\u0026rsquo;s \u003ccode\u003eupdateUserRealmRoles\u003c/code\u003e function to modify Keycloak realm roles for users in other realms, including the \u003ccode\u003emaster\u003c/code\u003e realm. The vulnerability lies in the absence of authorization checks within the \u003ccode\u003eUserResourceImpl.java\u003c/code\u003e file, which fails to validate if the caller has administrative rights over the realm they are attempting to modify. This oversight allows an attacker to grant themselves or another user administrative privileges on the master realm, leading to full Keycloak administrator access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Keycloak realm and obtains \u003ccode\u003ewrite:admin\u003c/code\u003e privileges for the OpenRemote client within that realm.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a low-privilege user in the \u003ccode\u003emaster\u003c/code\u003e Keycloak realm and retrieves their UUID.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates as the user from their controlled realm to obtain a valid Bearer access token.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious API request targeting the vulnerable \u003ccode\u003eupdateUserRealmRoles\u003c/code\u003e endpoint, specifying the \u003ccode\u003emaster\u003c/code\u003e realm and the UUID of the target user.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u0026ldquo;roles\u0026rdquo; parameter in the request body to include the \u0026ldquo;admin\u0026rdquo; role, effectively granting the target user Keycloak administrator privileges in the master realm.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted API request to the OpenRemote Manager API, bypassing the missing authorization check.\u003c/li\u003e\n\u003cli\u003eThe OpenRemote application processes the request and updates the target user\u0026rsquo;s realm roles in the \u003ccode\u003emaster\u003c/code\u003e Keycloak realm.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the successful privilege escalation by confirming that the target user in the \u003ccode\u003emaster\u003c/code\u003e realm now possesses the \u0026ldquo;admin\u0026rdquo; role via the Keycloak Admin Console, thus gaining full control over the master realm.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain complete control over the \u003ccode\u003emaster\u003c/code\u003e Keycloak realm within OpenRemote. This grants the attacker the ability to manage all users, roles, and clients within the \u003ccode\u003emaster\u003c/code\u003e realm, potentially leading to unauthorized access to sensitive data, disruption of services, and further lateral movement within the OpenRemote environment. Given that the \u003ccode\u003emaster\u003c/code\u003e realm is typically used for managing the entire OpenRemote instance, the impact is critical.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to OpenRemote version 1.22.1 or later to patch CVE-2026-41166, addressing the improper access control in the \u003ccode\u003eupdateUserRealmRoles\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eImplement additional authorization checks within the \u003ccode\u003eUserResourceImpl.java\u003c/code\u003e file to validate that the caller has administrative rights over the target realm before allowing modifications to user realm roles.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect OpenRemote UserRealmRoles API Abuse\u003c/code\u003e to monitor for suspicious calls to the updateUserRealmRoles API endpoint targeting different realms.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-openremote-privesc/","summary":"OpenRemote is vulnerable to privilege escalation, allowing an attacker with write:admin privileges in one Keycloak realm to gain administrator access to the master realm by manipulating Keycloak realm roles due to missing authorization checks in the updateUserRealmRoles function.","title":"OpenRemote Improper Access Control Leads to Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-02-openremote-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Openremote-Manager","version":"https://jsonfeed.org/version/1.1"}