Bug 901864 - (CVE-2013-0199) CVE-2013-0199 ipa: cross-realm kerberos with AD information leak
CVE-2013-0199 ipa: cross-realm kerberos with AD information leak
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 902481 903391
Blocks: 855229 870243
  Show dependency treegraph
Reported: 2013-01-19 12:44 EST by Vincent Danen
Modified: 2013-02-20 10:45 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-02-20 10:45:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-01-19 12:44:46 EST
FreeIPA 3.0 introduced a Cross-Realm Kerberos trusts with Active Directory, a feature that allows IPA administrators to create a Kerberos trust with an AD.  This allows IPA users to be able to access resources in AD trusted domains and vice versa.

When the Kerberos trust is created, an outgoing and incoming keys are stored in the IPA LDAP backend (in ipaNTTrustAuthIncoming and ipaNTTrustAuthOutgoing attributes).  However, the IPA LDAP ACIs allow anonymous read acess to these attributes which could allow an unprivileged and unauthenticated user to read the keys.  With these keys, an attacker could craft an invented Kerberos ticket with an invented PAC, encrypt the PAC with the retrieved key, and impersonate any AD user in the IPA domain or impersonate any IPA user in the AD domain.

This issue affects Fedora 18, which provides FreeIPA 3.x.


Red Hat would like to thank Martin Kosek of Red Hat for reporting this issue.


Not vulnerable. This issue did not affect the versions of ipa as shipped with Red Hat Enterprise Linux 6 as they did not include support for Cross-Realm Kerberos trusts with Active Directory.
Comment 2 Vincent Danen 2013-01-23 16:27:37 EST
External References:

Comment 3 Vincent Danen 2013-01-23 16:28:08 EST
Created freeipa tracking bugs for this issue

Affects: fedora-18 [bug 903391]
Comment 4 Fedora Update System 2013-02-01 23:22:59 EST
freeipa-3.1.2-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.