CVE-2024-2698
Freeipa: delegation rules allow a proxy service to impersonate any user to access another target service
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the check_allowed_to_delegate() function: If the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules and not checking a specific S4U2Proxy request. In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos 1.20. However, a mistake resulting in this mechanism applies in cases where the target service argument is set AND where it is unset. This results in S4U2Proxy requests being accepted regardless of whether or not there is a matching service delegation rule.
Se encontró una vulnerabilidad en FreeIPA en la que a la implementación inicial de MS-SFU por parte de MIT Kerberos le faltaba una condición para otorgar el indicador "reenviable" en los tickets S4U2Self. Para corregir este error fue necesario agregar un caso especial para la función check_allowed_to_delegate(): si el argumento del servicio de destino es NULL, entonces significa que el KDC está investigando reglas generales de delegación restringida y no verificando una solicitud S4U2Proxy específica. En FreeIPA 4.11.0, el comportamiento de ipadb_match_acl() se modificó para que coincida con los cambios del MIT Kerberos 1.20. Sin embargo, un error que resulta en este mecanismo se aplica en los casos en los que el argumento del servicio de destino está establecido Y donde no está establecido. Esto da como resultado que las solicitudes S4U2Proxy se acepten independientemente de si existe o no una regla de delegación de servicios coincidente.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-03-19 CVE Reserved
- 2024-06-11 CVE Published
- 2024-11-25 CVE Updated
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-284: Improper Access Control
- CWE-863: Incorrect Authorization
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WT3JL7JQDIAFKKEFARWYES7GZNWGQNCI |
|
|
| https://www.freeipa.org/release-notes/4-12-1.html |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2024:3754 | 2024-06-27 | |
| https://access.redhat.com/errata/RHSA-2024:3755 | 2024-06-27 | |
| https://access.redhat.com/errata/RHSA-2024:3757 | 2024-06-27 | |
| https://access.redhat.com/errata/RHSA-2024:3759 | 2024-06-27 | |
| https://access.redhat.com/security/cve/CVE-2024-2698 | 2024-06-10 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2270353 | 2024-06-10 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Freeipa Search vendor "Freeipa" | Freeipa Search vendor "Freeipa" for product "Freeipa" | * | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Linux Search vendor "Oracle" for product "Linux" | * | - |
Affected
| ||||||
| Red Hat Search vendor "Red Hat" | Enterprise Linux Search vendor "Red Hat" for product "Enterprise Linux" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Rhel Eus Search vendor "Redhat" for product "Rhel Eus" | * | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | * | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Linux Search vendor "Oracle" for product "Linux" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Rhel Eus Search vendor "Redhat" for product "Rhel Eus" | * | - |
Affected
| ||||||
| Rocky Search vendor "Rocky" | Linux Search vendor "Rocky" for product "Linux" | * | - |
Affected
| ||||||