CVE-2024-2698

A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the check_allowed_to_delegate() function: If the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules and not checking a specific S4U2Proxy request.

In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos 1.20. However, a mistake resulting in this mechanism applies in cases where the target service argument is set AND where it is unset. This results in S4U2Proxy requests being accepted regardless of whether or not there is a matching service delegation rule.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
redhatCNA
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
VendorProductVersion
freeipafreeipa
4.11.0 ≤
𝑥
< 4.11.2
freeipafreeipa
4.12.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
freeipa
bookworm
unimportant
sid
4.12.2-3
fixed
trixie
4.12.2-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
freeipa
plucky
needs-triage
oracular
needs-triage
noble
needs-triage
mantic
ignored
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2024:3754
https://access.redhat.com/errata/RHSA-2024:3755
https://access.redhat.com/errata/RHSA-2024:3757
https://access.redhat.com/errata/RHSA-2024:3759
https://access.redhat.com/security/cve/CVE-2024-2698
https://bugzilla.redhat.com/show_bug.cgi?id=2270353
https://www.freeipa.org/release-notes/4-12-1.html
https://access.redhat.com/errata/RHSA-2024:3754
https://access.redhat.com/errata/RHSA-2024:3755
https://access.redhat.com/errata/RHSA-2024:3757
https://access.redhat.com/errata/RHSA-2024:3759
https://access.redhat.com/security/cve/CVE-2024-2698
https://bugzilla.redhat.com/show_bug.cgi?id=2270353
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WT3JL7JQDIAFKKEFARWYES7GZNWGQNCI/
https://www.freeipa.org/release-notes/4-12-1.html