CVE-2024-3183

NameCVE-2024-3183
DescriptionA vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password. If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1077683

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
freeipa (PTS)buster (security), buster, buster (lts)4.7.2-3+deb10u1vulnerable
bookworm4.9.11-1vulnerable
sid4.11.1-2.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
freeipasourcebuster(unfixed)end-of-life
freeipasource(unstable)(unfixed)unimportant1077683

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=2270685
https://pagure.io/freeipa/c/dfd4492efd47d45bcac4ee1d32d21cae91142df8
FreeIPA in Debian only builds the client packages, not the server
Search for package or bug name: Reporting problems