Red Hat Bugzilla – Bug 901864
CVE-2013-0199 ipa: cross-realm kerberos with AD information leak
Last modified: 2013-02-20 10:45:17 EST
FreeIPA 3.0 introduced a Cross-Realm Kerberos trusts with Active Directory, a feature that allows IPA administrators to create a Kerberos trust with an AD. This allows IPA users to be able to access resources in AD trusted domains and vice versa.
When the Kerberos trust is created, an outgoing and incoming keys are stored in the IPA LDAP backend (in ipaNTTrustAuthIncoming and ipaNTTrustAuthOutgoing attributes). However, the IPA LDAP ACIs allow anonymous read acess to these attributes which could allow an unprivileged and unauthenticated user to read the keys. With these keys, an attacker could craft an invented Kerberos ticket with an invented PAC, encrypt the PAC with the retrieved key, and impersonate any AD user in the IPA domain or impersonate any IPA user in the AD domain.
This issue affects Fedora 18, which provides FreeIPA 3.x.
Red Hat would like to thank Martin Kosek of Red Hat for reporting this issue.
Not vulnerable. This issue did not affect the versions of ipa as shipped with Red Hat Enterprise Linux 6 as they did not include support for Cross-Realm Kerberos trusts with Active Directory.
Created freeipa tracking bugs for this issue
Affects: fedora-18 [bug 903391]
freeipa-3.1.2-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.