OpenAM WebAuthn Deserialization RCE – Configuration-Dependent Pre-Auth Bypass
OpenAM's WebAuthn module deserializes untrusted Java objects from user-writable storage attributes, enabling pre-auth RCE if the storage backend becomes attacker-controllable. Defenders must audit attribute permissions and enforce server-managed storage isolation.
CVE References
Affected
Vulnerability Description
This is a CWE-502 (Deserialization of Untrusted Data) vulnerability in OpenAM's WebAuthn authentication module. The flaw exists in how the module reads and deserializes Java objects from a configurable storage attribute during the WebAuthn authentication flow. If an attacker can write malicious serialized Java objects to that attribute—typically a user directory attribute—the deserialization process will instantiate arbitrary classes, leading to remote code execution in the application server context.
Proof-of-Concept & Preconditions
The PoC is significant because it demonstrates that WebAuthn, marketed as a modern security component, can introduce significant risk through unsafe defaults and overly permissive configuration models. Exploitation is not guaranteed out-of-the-box; it requires a specific chain of conditions: (1) the userAttribute setting must point to a user-writable directory attribute (non-default), or (2) a previously-secured attribute must be exposed through misconfiguration, delegation, self-service provisioning, or legacy REST endpoints. The advisory explicitly notes the product does not enforce or warn that this attribute must remain server-managed and immutable.
Detection Guidance
Defenders should monitor for: (1) Configuration audit: scan OpenAM administrative consoles for non-standard userAttribute values in WebAuthn module settings; (2) LDAP/Directory logs: detect unusual write operations to attributes referenced by WebAuthn configuration, especially from non-admin contexts; (3) Application logs: search OpenAM logs for deserialization exceptions, ClassNotFoundException, or unmarshalling errors during authentication; (4) File integrity: monitor for changes to WebAuthn module configuration files; (5) JVM memory/CPU spikes during authentication attempts, which may indicate gadget chain exploitation.
Mitigation Steps
Immediate actions: (1) Patch: upgrade to OpenAM Community Edition 16.1.1 or later; (2) Audit configuration: verify the WebAuthn userAttribute is set to an immutable, server-managed attribute and is never user-writable; (3) Restrict directory permissions: ensure user accounts lack write permissions to any attribute read by WebAuthn; (4) Disable self-service provisioning if it allows modification of authentication-related attributes; (5) Restrict administrative delegation: limit which admins can reconfigure WebAuthn storage attributes; (6) Disable legacy REST self-registration if it permits attribute writes; (7) Network segmentation: limit access to OpenAM administrative interfaces.
Risk Assessment
Likelihood of exploitation is moderate to high in environments with delegated administration, user self-service provisioning, or legacy REST APIs enabled. Threat actors have strong incentive to target this, as pre-auth RCE on identity infrastructure provides lateral movement and persistence. However, exploitation requires prior write access to a directory attribute, which may not always be trivial. Organizations with strict LDAP/AD permission models and no self-service workflows face lower risk. The vulnerability is particularly dangerous because WebAuthn is installed by default and many administrators may not be aware that its configuration can degrade security.
Sources