Bug 1810160

Summary: FreeIPA: local account takeover/HBAC rules bypass
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, afarley, cbuissar, cheimes, contribs, frenaud, ipa-maint, jcholast, jhrozek, jjelen, mhjacks, mkosek, msiddiqu, pvoborni, rcritten, rharwood, sbose, security-response-team, ssorce, tmihinto, tscherf, twoerner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in FreeIPA. An account created with a name corresponding to an account local to a system, such as 'root', could access any enrolled machine with that account, with local system privileges. This also bypasses the absence of explicit HBAC rules. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-17 07:24:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1835433, 1835434, 1847097    
Bug Blocks: 1809701    

Description Guilherme de Almeida Suckevicz 2020-03-04 16:16:00 UTC 
It was found that if an account was created with a name corresponding to an account local to a system, such as 'root', was created via IPA, such account could access any enrolled machine with that account, and the local system privileges. This also bypass the absence of explicit HBAC rules.

If an attacker was able to create or influence the creation of a username in such a way that it corresponds to a privileged local account for a system, the attacker could use the newly created account to access the system, inheriting the privileges corresponding to the local account.
Comment 1 Alexander Bokovoy 2020-03-05 10:41:17 UTC 
Without any details on the scenario it is impossible to understand what 'flaw' is described here.
Please take at least some time to substantiate your claims.
Comment 2 Guilherme de Almeida Suckevicz 2020-03-18 13:02:42 UTC 
For now this bug is for investigation only, more information will be shared soon.
Comment 3 Christian Heimes 2020-03-18 15:35:30 UTC 
We cannot investigate without additional information. Can you at least provide a reproducer and example?
Comment 41 Cedric Buissart 2020-06-03 07:00:51 UTC 
Acknowledgments:

Name: Julian Catrambone, Mike Losapio
Comment 64 Cedric Buissart 2020-06-15 16:23:36 UTC 
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 1847097]
Comment 75 Cedric Buissart 2020-06-17 07:26:29 UTC 
External References:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/defining-roles
Comment 80 Cedric Buissart 2020-06-26 11:38:11 UTC 
Statement:

Roles are used to classify permitted actions but are not used as a tool to implement privilege separation or to protect from privilege escalation. As a result, using privileges to gain additional privileges is not something considered unexpected. This bug has been rejected as a security flaw. Users with privileges should be reserved to trusted persons.