CVE-2024-3183
Freeipa: user can obtain a hash of the passwords of all domain users and perform offline brute force
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password. If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password).
Se encontró una vulnerabilidad en FreeIPA cuando un Kerberos TGS-REQ se cifra utilizando la clave de sesión del cliente. Esta clave es diferente para cada nueva sesión, lo que la protege de ataques de fuerza bruta. Sin embargo, el ticket que contiene se cifra utilizando directamente la clave principal de destino. Para los usuarios principales, esta clave es un hash de un salt público generado aleatoriamente por principal y la contraseña del usuario. Si un principal se ve comprometido, significa que el atacante podría recuperar tickets cifrados para cualquier principal, y todos ellos estarán cifrados directamente con su propia clave. Al desconectar estos tickets y salts, el atacante podría ejecutar ataques de fuerza bruta para encontrar cadenas de caracteres capaces de descifrar tickets cuando se combinan con un salt principal (es decir, encontrar la contraseña del principal).
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-04-02 CVE Reserved
- 2024-06-11 CVE Published
- 2024-08-20 First Exploit
- 2024-09-16 CVE Updated
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-916: Use of Password Hash With Insufficient Computational Effort
CAPEC
References (14)
| URL | Tag | Source |
|---|---|---|
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WT3JL7JQDIAFKKEFARWYES7GZNWGQNCI |
|
|
| https://www.freeipa.org/release-notes/4-12-1.html |
| URL | Date | SRC |
|---|---|---|
| https://github.com/Cyxow/CVE-2024-3183-POC | 2024-08-20 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2024:3754 | 2024-06-27 | |
| https://access.redhat.com/errata/RHSA-2024:3755 | 2024-06-27 | |
| https://access.redhat.com/errata/RHSA-2024:3756 | 2024-06-27 | |
| https://access.redhat.com/errata/RHSA-2024:3757 | 2024-06-27 | |
| https://access.redhat.com/errata/RHSA-2024:3758 | 2024-06-27 | |
| https://access.redhat.com/errata/RHSA-2024:3759 | 2024-06-27 | |
| https://access.redhat.com/errata/RHSA-2024:3760 | 2024-06-27 | |
| https://access.redhat.com/errata/RHSA-2024:3761 | 2024-06-27 | |
| https://access.redhat.com/errata/RHSA-2024:3775 | 2024-06-27 | |
| https://access.redhat.com/security/cve/CVE-2024-3183 | 2024-06-10 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2270685 | 2024-06-10 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Oracle Search vendor "Oracle" | Linux Search vendor "Oracle" for product "Linux" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Rhel Aus Search vendor "Redhat" for product "Rhel Aus" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Rhel E4s Search vendor "Redhat" for product "Rhel E4s" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Rhel Eus Search vendor "Redhat" for product "Rhel Eus" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Rhel Tus Search vendor "Redhat" for product "Rhel Tus" | * | - |
Affected
| ||||||
| Amazon Search vendor "Amazon" | Linux Search vendor "Amazon" for product "Linux" | * | - |
Affected
| ||||||
| Centos Search vendor "Centos" | Centos Search vendor "Centos" for product "Centos" | * | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | * | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Linux Search vendor "Oracle" for product "Linux" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Aus Search vendor "Redhat" for product "Enterprise Linux Aus" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Tus Search vendor "Redhat" for product "Enterprise Linux Tus" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Update Services For Sap Solutions Search vendor "Redhat" for product "Enterprise Linux Update Services For Sap Solutions" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Rhel Aus Search vendor "Redhat" for product "Rhel Aus" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Rhel E4s Search vendor "Redhat" for product "Rhel E4s" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Rhel Eus Search vendor "Redhat" for product "Rhel Eus" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Rhel Tus Search vendor "Redhat" for product "Rhel Tus" | * | - |
Affected
| ||||||
| Rocky Search vendor "Rocky" | Linux Search vendor "Rocky" for product "Linux" | * | - |
Affected
| ||||||