Bug 2262169 (CVE-2024-1481)

Summary: CVE-2024-1481 freeipa: specially crafted HTTP requests potentially lead to denial of service
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, frenaud, ftrivino, jrische, rcritten, saroy, security-response-team, trathi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freeipa-4.11.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in FreeIPA. This issue may allow a remote attacker to craft a HTTP request with parameters that can be interpreted as command arguments to kinit on the FreeIPA server, which can lead to a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2265129    
Bug Blocks: 2262165, 2271727    

Description Robb Gatica 2024-01-31 21:51:33 UTC 
Summary:
Specially crafted HTTP requests can read files in the DC server. And use keytab files for authorization for different kerberos principals.

Tested FreeIPA version:
ipa-server-4.10.1

Details
The "user" parameter in the HTTP URI "/sip/session/login_password" is inserted into the "run" function from the file "ipautil.py". Then it is passed as an argument to the "subprocess.Popen". As a result, the following list is passed: "args=['/usr/bin/kinit', '{user params}', '-c', /run/ipa/ccaches/kinit_13704', '-T', '/run/ipa/ccaches/armor_13704', '-C', '-E']". If instead of "{user params}" there is a string "-V", then it will be taken as an argument for "kinit". As a result, remote attackers can use options such as "-t", "-X", "-S" or "-I" for DOS, or use the keytab file from the system to log in under participants without a password.

PoC (attached screenshots):
Simple request with "user=-H&password=0000000"
With multiple parameters "user=-Vkt&password=0000000"

Impact
Possible DOS, use keytab from system and read files on DC.
Comment 10 Robb Gatica 2024-02-20 15:09:45 UTC 
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 2265129]
Comment 16 TEJ RATHI 2024-03-27 07:09:03 UTC 
*** Bug 2271726 has been marked as a duplicate of this bug. ***
Comment 17 errata-xmlrpc 2024-04-30 09:39:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2147 https://access.redhat.com/errata/RHSA-2024:2147
Comment 18 errata-xmlrpc 2024-05-22 09:40:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3044 https://access.redhat.com/errata/RHSA-2024:3044