ipa-4.11.0-15.el9_4.ML.1

エラータID: AXSA:2024-8146:07

Release date: 
Thursday, June 13, 2024 - 13:49
Subject: 
ipa-4.11.0-15.el9_4.ML.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Cybertrust Japan Co., Ltd. Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments.

Security Fix(es):

* freeipa: delegation rules allow a proxy service to impersonate any user to access another target service (CVE-2024-2698)
* freeipa: user can obtain a hash of the passwords of all domain users and perform offline brute force (CVE-2024-3183)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-2698
A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the check_allowed_to_delegate() function: If the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules and not checking a specific S4U2Proxy request. In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos 1.20. However, a mistake resulting in this mechanism applies in cases where the target service argument is set AND where it is unset. This results in S4U2Proxy requests being accepted regardless of whether or not there is a matching service delegation rule.
CVE-2024-3183
A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password. If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password).

Solution: 

Update packages.

CVEs: 
CVE-2024-2698
A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the check_allowed_to_delegate() function: If the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules and not checking a specific S4U2Proxy request. In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos 1.20. However, a mistake resulting in this mechanism applies in cases where the target service argument is set AND where it is unset. This results in S4U2Proxy requests being accepted regardless of whether or not there is a matching service delegation rule.
CVE-2024-3183
A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password. If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password).
Additional Info: 

N/A

Download: 

SRPMS
  1. ipa-4.11.0-15.el9_4.ML.1.src.rpm
    MD5: dc0407d6ca4557dcddd9cd9858356ce3
    SHA-256: e0607069b713e4406e21b829c84a11bb8d5b7d0494e1b125f6bba48ef167ca02
    Size: 13.97 MB

Asianux Server 9 for x86_64
  1. ipa-client-4.11.0-15.el9_4.ML.1.x86_64.rpm
    MD5: 9f401166834c8430e430088e21c11dcb
    SHA-256: 9e55b6b7bf7f7a4e251b9c7a83b1a59ed080a6465c69faea2b7eebed71d31bbf
    Size: 132.36 kB
  2. ipa-client-common-4.11.0-15.el9_4.ML.1.noarch.rpm
    MD5: a64414f2a82afbee41918ef668a3e705
    SHA-256: 7cde74a3f6a23269a33f3a0ac723365e768ee4ce1c6a2902b97d0eb9d3b53e52
    Size: 41.20 kB
  3. ipa-client-epn-4.11.0-15.el9_4.ML.1.x86_64.rpm
    MD5: d71c7b8446053ae63ec532c6659702f4
    SHA-256: 894e7a696c8a4654671445fa3733bf643cfb6796b157d65fcb51d1ccfd43b9b8
    Size: 40.58 kB
  4. ipa-client-samba-4.11.0-15.el9_4.ML.1.x86_64.rpm
    MD5: 96bfe5b1242c68c3a7cf33541d4c2f46
    SHA-256: 337e399c7af75c2ce495f5bad8c597aad3fb1dd8f71472996439b21edaf2fe93
    Size: 35.91 kB
  5. ipa-common-4.11.0-15.el9_4.ML.1.noarch.rpm
    MD5: 0b37702fee1a403fc9db1a668b8302ac
    SHA-256: 7fea55cba1279abf831ccfed8ba6c7b4b96417c64ad9674b53ab1e497c8cb8ba
    Size: 662.53 kB
  6. ipa-selinux-4.11.0-15.el9_4.ML.1.noarch.rpm
    MD5: 0f4a397a01ca91ee337d7b2870022acc
    SHA-256: 621590cbf7757b863bb8838d91e7d13b3133adcf546fec1786fd1b47cba8d7cf
    Size: 35.54 kB
  7. ipa-server-4.11.0-15.el9_4.ML.1.x86_64.rpm
    MD5: 419f2a0f8832508c7581e5547294ea63
    SHA-256: a98fe03c93d5413add1e67f5b13c5fb1c40f49325d04eb8cb287df9bb2da8b06
    Size: 417.80 kB
  8. ipa-server-common-4.11.0-15.el9_4.ML.1.noarch.rpm
    MD5: 84b14d8cc6b470f71893c3d486c54eb3
    SHA-256: 1c521cf8832034054aaf0440c26ee3e73f1f8f59a757583da2aad2b6522c957a
    Size: 495.12 kB
  9. ipa-server-dns-4.11.0-15.el9_4.ML.1.noarch.rpm
    MD5: bec4f65d36cc201a789a9632194a57a4
    SHA-256: 18188729cea96a2de9351cbf7dabc96bb50e89d5777c0f5fa3969f7a681afb79
    Size: 53.66 kB
  10. ipa-server-trust-ad-4.11.0-15.el9_4.ML.1.x86_64.rpm
    MD5: 7bb8d586fac28b6856c4452a4e26b586
    SHA-256: 45fab5cf2ec28e2cb192f0c2d4ec2153d0a8ac0bdbd6fbebbc6a24d9f59430b6
    Size: 150.58 kB
  11. python3-ipaclient-4.11.0-15.el9_4.ML.1.noarch.rpm
    MD5: 849f039c09554cb045a616c436966678
    SHA-256: 9f9d868ea71b726d0f0ca31a3a4349f3469a13f614b240e351fb374cbb3b8167
    Size: 655.48 kB
  12. python3-ipalib-4.11.0-15.el9_4.ML.1.noarch.rpm
    MD5: 7cfb4f96608ab404cf938cd2b36b9041
    SHA-256: 81e5853f31299a31fc1336037cd0e436b60ddd73f5636ba522b0c2901196614d
    Size: 670.29 kB
  13. python3-ipaserver-4.11.0-15.el9_4.ML.1.noarch.rpm
    MD5: 0a139ca51314468eba94d1645aeaf68c
    SHA-256: 6ba9371bd615ed0521283783583d1a18b8b9449fe5ab79946fe5e4f566cd454b
    Size: 1.48 MB
  14. python3-ipatests-4.11.0-15.el9_4.ML.1.noarch.rpm
    MD5: f3d00310d8eb2cbd10a8f14063c889de
    SHA-256: 5706da6597d2ed2d722f9de29e4a298bd11156785ab7c34d4b31405453dfb18f
    Size: 1.71 MB