Bug 2262978 - freeipa: privileges escalation from root to domain admin
Summary: freeipa: privileges escalation from root to domain admin
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On: 2263012
Blocks: 2245046
TreeView+ depends on / blocked
Reported: 2024-02-06 11:54 UTC by Marian Rehak
Modified: 2024-03-04 10:13 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A local user with root privileges is able to save kerberos tickets to an environment variable and escalate privileges to domain admin.
Clone Of:
Last Closed: 2024-02-06 16:01:26 UTC

Attachments (Terms of Use)

Description Marian Rehak 2024-02-06 11:54:29 UTC
With root privileges, it is possible to dump the admin kerberos ticket and write it to an environmentvariable, after which it is possible to get the privileges of the domain administrator, whose ticket was dumped.

Comment 1 Marian Rehak 2024-02-06 15:13:15 UTC
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 2263012]

Comment 6 Salvatore Bonaccorso 2024-03-01 18:07:08 UTC
Is there some additional information on this issue? Is there an upstream issue to track it and/or a upstream fix?

Comment 7 Alexander Bokovoy 2024-03-04 08:44:03 UTC
From FreeIPA team: we do object on classifying this as a security issue. If you are root on IdM server, you have game done. You are not required to get 'admin credentials'. 

This is why we asked to not have a CVE assigned to this "issue".

Note You need to log in before you can comment on or make changes to this bug.