#VU92247 Improper Authorization in FreeIPA - CVE-2024-2698


Vulnerability identifier: #VU92247

Vulnerability risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-2698

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
FreeIPA
Other software / Other software solutions

Vendor: freeipa.org

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to an error in ipadb_match_acl() within the initial implementation of MS-SFU by MIT Kerberos, which was missing a condition for granting the “forwardable” flag on S4U2Self tickets. This results in S4U2Proxy requests to be accepted regardless of the fact there is a matching service delegation rule or not.

Note, this vulnerability does not affect default FreeIPA deployments because the services which have delegation rules defined are on IPA servers themselves. Services having RBCD (resource-based constrained delegation) rules are not affected by this vulnerability either.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

FreeIPA: 4.11.0 beta - 4.12.0

External links
https://bugzilla.redhat.com/show_bug.cgi?id=2270353
https://www.freeipa.org/release-notes/4-12-1.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Anolis OS update for idm:DL1 module
Fedora 39 update for freeipa
Fedora 40 update for freeipa
Red Hat Enterprise Linux8 update for the idm:DL1 module
Red Hat Enterprise Linux 9 update for ipa
Red Hat Enterprise Linux 8 update for the idm:DL1 module
Red Hat Enterprise Linux 9 update for ipa
Multiple vulnerabilities in FreeIPA