Menü Schließen

FreeIPA Security Release 4.12.1 veröffentlicht

FreeIPA Logo

FreeIPA ist ein von RedHat unterstütztes Open-Source Softwareprojekt, dass als Ziel hat ein Identität-, Policy- und Auditsystem zur Verfügung zu stellen. Dabei geht FreeIPA weiter als vergleichsweise das Active Directory von Microsoft oder eDirectory von Novell und vereint viele Open-Source Technologien zu einem System. Die Entwickler haben Anfang Juni 2024 das Update Release 4.12.1 veröffentlicht.

FreeIPA 4.12.1 Release Notes

  • CVE-2024-2698

The initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the “forwardable” flag on S4U2Self tickets. Fixing this mistake required adding a special case for the check_allowed_to_delegate() function: if the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules, not actually checking a specific S4U2Proxy request.

In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos 1.20. However, a mistake resulted in this mechanism to apply in cases where the target service argument is set AND where it is unset. This results in S4U2Proxy requests to be accepted regardless of the fact there is a matching service delegation rule or not.

This vulnerability does not affect default FreeIPA deployments because the services which have delegation rules defined are on IPA servers themselves. Services having RBCD (resource-based constrained delegation) rules are not affected by this vulnerability either.

This vulnerability was discovered by Josh Whiteside.

  • CVE-2024-3183

A Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password.

If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to the target principal salt (i.e. find the principal’s password).

Such attacks primarily affect user principals, not service principals because their keys are usually generated randomly. But weak user passwords are particularly vulnerable to such attacks, especially if they are referenced in password dictionaries.

To mitigate this vulnerability, ticket requests to user principals are now disallowed in FreeIPA realms by default. This will keep attackers from obtaining data encrypted with the user key directly.

This vulnerability was discovered by Mikhail Sukhov.

Bug fixes

FreeIPA 4.12.1 is a security fix release.

Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert