Bug 901864 (CVE-2013-0199)

Summary: CVE-2013-0199 ipa: cross-realm kerberos with AD information leak
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mkosek, rcritten, security-response-team, ssorce
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-20 15:45:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 902481, 903391    
Bug Blocks: 855229, 870243    

Description Vincent Danen 2013-01-19 17:44:46 UTC 
FreeIPA 3.0 introduced a Cross-Realm Kerberos trusts with Active Directory, a feature that allows IPA administrators to create a Kerberos trust with an AD.  This allows IPA users to be able to access resources in AD trusted domains and vice versa.

When the Kerberos trust is created, an outgoing and incoming keys are stored in the IPA LDAP backend (in ipaNTTrustAuthIncoming and ipaNTTrustAuthOutgoing attributes).  However, the IPA LDAP ACIs allow anonymous read acess to these attributes which could allow an unprivileged and unauthenticated user to read the keys.  With these keys, an attacker could craft an invented Kerberos ticket with an invented PAC, encrypt the PAC with the retrieved key, and impersonate any AD user in the IPA domain or impersonate any IPA user in the AD domain.

This issue affects Fedora 18, which provides FreeIPA 3.x.


Acknowledgements:

Red Hat would like to thank Martin Kosek of Red Hat for reporting this issue.


Statement:

Not vulnerable. This issue did not affect the versions of ipa as shipped with Red Hat Enterprise Linux 6 as they did not include support for Cross-Realm Kerberos trusts with Active Directory.
Comment 2 Vincent Danen 2013-01-23 21:27:37 UTC 
External References:

http://www.freeipa.org/page/CVE-2013-0199
Comment 3 Vincent Danen 2013-01-23 21:28:08 UTC 
Created freeipa tracking bugs for this issue

Affects: fedora-18 [bug 903391]
Comment 4 Fedora Update System 2013-02-02 04:22:59 UTC 
freeipa-3.1.2-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.