Created attachment 2043960 [details] Before and after microsoft update Description of problem: After Microsoft Radius (NPS) Server 2019 KB5040430 update for CVE-2024-3596 Vulnerability, FreeIPA cannot connect successfully to RADIUS. When I listed of cat krb5kdc.log , I saw the failure log that is PREAUTHENTICATION_FAILED. And then when I traced the traffic via wireshark on microsoft radius server 2019 I realized that radius atributes of the response for Access Request started from FreeIPA named Access Accept contains Message Authenticatior Attribute. I believe that the FreeIPA cannot making sense this attribute or header and this may resolved with an upgrade on the FreeIPA side. Version-Release number of selected component (if applicable): FreeIPA 4.12.1 How reproducible: Continuously Steps to Reproduce: 1. Free IPA upgrade for this issue. Actual results: AUTHENTICATION_FAILED Expected results: Successfull Authentication from any FreeIPA client loaded including another linux distribution. Additional info:
Can you make the actual traces available? It looks like MSFT has published this guideline: https://support.microsoft.com/en-us/topic/kb5040268-how-to-manage-the-access-request-packets-attack-vulnerability-associated-with-cve-2024-3596-a0e2f0b1-f200-4a7b-844f-48d1d5ab9e66
In order to implement this, I think libkrad needs to be extended to provide automatic insertion of the Message-Authenticator attribute (https://www.rfc-editor.org/rfc/rfc3579#section-3.2) based on some API-passed flags. I'd leave design of that to MIT Kerberos folks.
Thanks for interest Alexander. As I understand krb5 should be upgraded by Kerberos Folks. Am I right? By the way I missed that my Free IPA server running on FEDORA 40. So should I still wait for kerberos folks or is there anything to do by ourself. Lastly Are you have any connection with MIT Kerberos folks to assing to this topic. Could you give a hand to us :)
It is something that has to be implemented first, that's why I moved this bug to krb5 package. Its maintainer will have to work on it. There is no plan yet when this work would be done, so don't expect any fix any time soon.
FYI, a similar issue is reproducible with default FreeRADIUS setup after the fix for CVE-2024-3596 was fixed. This should help with development of the fix on libkrad side.
Rawhide RPM dist-git merge request: https://src.fedoraproject.org/rpms/krb5/pull-request/58
Fedora 41 RPM dist-git merge request: https://src.fedoraproject.org/rpms/krb5/pull-request/59 Fedora 40 RPM dist-git merge request: https://src.fedoraproject.org/rpms/krb5/pull-request/60 Fedora 39 RPM dist-git merge request: https://src.fedoraproject.org/rpms/krb5/pull-request/61
FEDORA-2024-ed15d25bf3 (krb5-1.21.3-3.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2024-ed15d25bf3
FEDORA-2024-862f5c4156 (krb5-1.21.3-2.fc39) has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-862f5c4156
FEDORA-2024-29a74ac2b0 (krb5-1.21.3-2.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-29a74ac2b0
FEDORA-2024-c0961d31b8 (krb5-1.21.3-3.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-c0961d31b8
FEDORA-2024-ed15d25bf3 (krb5-1.21.3-3.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-862f5c4156 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-862f5c4156` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-862f5c4156 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-29a74ac2b0 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-29a74ac2b0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-29a74ac2b0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-c0961d31b8 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-c0961d31b8` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-c0961d31b8 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Hello team Firstly, Thanks for intertest. I got the updates that released for this topic and ıt solved my problem. Again Thanks for All Comunity.
Thank you for the confirmation, Onur!
FEDORA-2024-c0961d31b8 (krb5-1.21.3-3.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-29a74ac2b0 (krb5-1.21.3-2.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-862f5c4156 (krb5-1.21.3-2.fc39) has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.