2262978 – freeipa: privileges escalation from root to domain admin

Bug 2262978 - freeipa: privileges escalation from root to domain admin

Summary: freeipa: privileges escalation from root to domain admin

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2263012
Blocks:	2245046
TreeView+	depends on / blocked

Reported:	2024-02-06 11:54 UTC by Marian Rehak
Modified:	2024-03-04 10:13 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A local user with root privileges is able to save kerberos tickets to an environment variable and escalate privileges to domain admin.
Clone Of:
Environment:
Last Closed:	2024-02-06 16:01:26 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2024-02-06 11:54:29 UTC

With root privileges, it is possible to dump the admin kerberos ticket and write it to an environmentvariable, after which it is possible to get the privileges of the domain administrator, whose ticket was dumped.

Comment 1 Marian Rehak 2024-02-06 15:13:15 UTC

Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 2263012]

Comment 6 Salvatore Bonaccorso 2024-03-01 18:07:08 UTC

Is there some additional information on this issue? Is there an upstream issue to track it and/or a upstream fix?

Comment 7 Alexander Bokovoy 2024-03-04 08:44:03 UTC

From FreeIPA team: we do object on classifying this as a security issue. If you are root on IdM server, you have game done. You are not required to get 'admin credentials'. 

This is why we asked to not have a CVE assigned to this "issue".

Note You need to log in before you can comment on or make changes to this bug.