FKIE_CVE-2024-2698

Vulnerability from fkie_nvd - Published: 2024-06-12 08:15 - Updated: 2024-11-24 17:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the check_allowed_to_delegate() function: If the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules and not checking a specific S4U2Proxy request. In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos 1.20. However, a mistake resulting in this mechanism applies in cases where the target service argument is set AND where it is unset. This results in S4U2Proxy requests being accepted regardless of whether or not there is a matching service delegation rule.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:3754Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:3755Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:3757Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2024:3759Vendor Advisory
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2024-2698Vendor Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2270353Issue Tracking, Mitigation, Vendor Advisory
secalert@redhat.comhttps://www.freeipa.org/release-notes/4-12-1.htmlRelease Notes
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:3754Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:3755Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:3757Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2024:3759Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2024-2698Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2270353Issue Tracking, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WT3JL7JQDIAFKKEFARWYES7GZNWGQNCI/
af854a3a-2127-422b-91ae-364da2661108https://www.freeipa.org/release-notes/4-12-1.htmlRelease Notes
Impacted products
Vendor Product Version
freeipa freeipa *
freeipa freeipa 4.12.0
redhat enterprise_linux 6.0
redhat enterprise_linux 7.0
redhat enterprise_linux 8.0
redhat enterprise_linux 9.0
redhat enterprise_linux_eus 8.8
redhat enterprise_linux_eus 9.2
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:freeipa:freeipa:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "83FB5CBD-9BCC-46AB-84F9-2848C185E23E",
              "versionEndExcluding": "4.11.2",
              "versionStartIncluding": "4.11.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:freeipa:freeipa:4.12.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4F054F46-E717-43C4-BCA6-A0F12F81C670",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "62C31522-0A17-4025-B269-855C7F4B45C2",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "3C74F6FA-FA6C-4648-9079-91446E45EE47",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the \"forwardable\" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the check_allowed_to_delegate() function: If the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules and not checking a specific S4U2Proxy request.\r\n\r\nIn FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos 1.20. However, a mistake resulting in this mechanism applies in cases where the target service argument is set AND where it is unset. This results in S4U2Proxy requests being accepted regardless of whether or not there is a matching service delegation rule."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una vulnerabilidad en FreeIPA en la que a la implementaci\u00f3n inicial de MS-SFU por parte de MIT Kerberos le faltaba una condici\u00f3n para otorgar el indicador \"reenviable\" en los tickets S4U2Self. Para corregir este error fue necesario agregar un caso especial para la funci\u00f3n check_allowed_to_delegate(): si el argumento del servicio de destino es NULL, entonces significa que el KDC est\u00e1 investigando reglas generales de delegaci\u00f3n restringida y no verificando una solicitud S4U2Proxy espec\u00edfica. En FreeIPA 4.11.0, el comportamiento de ipadb_match_acl() se modific\u00f3 para que coincida con los cambios del MIT Kerberos 1.20. Sin embargo, un error que resulta en este mecanismo se aplica en los casos en los que el argumento del servicio de destino est\u00e1 establecido Y donde no est\u00e1 establecido. Esto da como resultado que las solicitudes S4U2Proxy se acepten independientemente de si existe o no una regla de delegaci\u00f3n de servicios coincidente."
    }
  ],
  "id": "CVE-2024-2698",
  "lastModified": "2024-11-24T17:15:04.170",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-06-12T08:15:50.250",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:3754"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:3755"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:3757"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:3759"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2024-2698"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270353"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.freeipa.org/release-notes/4-12-1.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:3754"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:3755"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:3757"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2024:3759"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2024-2698"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270353"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WT3JL7JQDIAFKKEFARWYES7GZNWGQNCI/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://www.freeipa.org/release-notes/4-12-1.html"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.