Bug 2270685 (CVE-2024-3183) - CVE-2024-3183 freeipa: user can obtain a hash of the passwords of all domain users and perform offline brute force
Summary: CVE-2024-3183 freeipa: user can obtain a hash of the passwords of all domain ...
Keywords:
Status: NEW
Alias: CVE-2024-3183
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2291164
Blocks: 2270687
TreeView+ depends on / blocked
 
Reported: 2024-03-21 12:39 UTC by Rohit Keshri
Modified: 2024-10-10 13:51 UTC (History)
8 users (show)

Fixed In Version: FreeIPA 4.11.2, FreeIPA 4.12.1
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password. If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password).
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:3932 0 None None None 2024-06-14 00:35:38 UTC
Red Hat Product Errata RHBA-2024:3933 0 None None None 2024-06-14 00:44:19 UTC
Red Hat Product Errata RHBA-2024:3940 0 None None None 2024-06-17 01:01:39 UTC
Red Hat Product Errata RHSA-2024:3754 0 None None None 2024-06-10 14:06:41 UTC
Red Hat Product Errata RHSA-2024:3755 0 None None None 2024-06-10 14:17:40 UTC
Red Hat Product Errata RHSA-2024:3756 0 None None None 2024-06-10 13:59:49 UTC
Red Hat Product Errata RHSA-2024:3757 0 None None None 2024-06-10 14:44:18 UTC
Red Hat Product Errata RHSA-2024:3758 0 None None None 2024-06-10 13:53:45 UTC
Red Hat Product Errata RHSA-2024:3759 0 None None None 2024-06-10 14:21:39 UTC
Red Hat Product Errata RHSA-2024:3760 0 None None None 2024-06-10 15:30:58 UTC
Red Hat Product Errata RHSA-2024:3761 0 None None None 2024-06-10 14:44:03 UTC
Red Hat Product Errata RHSA-2024:3775 0 None None None 2024-06-10 15:03:57 UTC

Description Rohit Keshri 2024-03-21 12:39:28 UTC
A low-privileged user can obtain a hash of the passwords of all domain users and perform offline brute force (kerberoasting).

It was found that all users who have TGT Kerberos tickets can request TGS for another user's principal. And since the “krbPrincipalKey” value for users is created based on their password, kerberoasting attacks on TGS tickets are possible. A potential attacker can brute force the password by requesting TGS for other users.

Comment 9 Sandipan Roy 2024-06-10 13:16:33 UTC
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 2291164]

Comment 10 errata-xmlrpc 2024-06-10 13:53:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2024:3758 https://access.redhat.com/errata/RHSA-2024:3758

Comment 11 errata-xmlrpc 2024-06-10 13:59:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:3756 https://access.redhat.com/errata/RHSA-2024:3756

Comment 12 errata-xmlrpc 2024-06-10 14:06:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3754 https://access.redhat.com/errata/RHSA-2024:3754

Comment 13 errata-xmlrpc 2024-06-10 14:17:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3755 https://access.redhat.com/errata/RHSA-2024:3755

Comment 14 errata-xmlrpc 2024-06-10 14:21:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:3759 https://access.redhat.com/errata/RHSA-2024:3759

Comment 15 errata-xmlrpc 2024-06-10 14:44:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:3761 https://access.redhat.com/errata/RHSA-2024:3761

Comment 16 errata-xmlrpc 2024-06-10 14:44:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:3757 https://access.redhat.com/errata/RHSA-2024:3757

Comment 17 errata-xmlrpc 2024-06-10 15:03:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:3775 https://access.redhat.com/errata/RHSA-2024:3775

Comment 18 errata-xmlrpc 2024-06-10 15:30:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:3760 https://access.redhat.com/errata/RHSA-2024:3760


Note You need to log in before you can comment on or make changes to this bug.