FreeIPA Kerberos TGS-REQ Key Misuse Enables Brute-Force Password Decryption
CVE-2024-3183 Published on June 12, 2024

Freeipa: user can obtain a hash of the passwords of all domain users and perform offline brute force
A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the clients session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the users password. If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principals password).

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2024-3183 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public. 81 days later.

Weakness Type

Use of Password Hash With Insufficient Computational Effort

The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.


Products Associated with CVE-2024-3183

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-3183 are published in these products:

Red Hat Enterprise Linux (RHEL)
 
Red Hat Enterprise Linux Aus
 
Red Hat Enterprise Linux Tus
 
Red Hat Enterprise Linux Eus
 
Red Hat Enterprise Linux Update Services Sap Solutions
 
Freeipa
 
Red Hat Rhel Aus
 
Red Hat Rhel E4s
 
Red Hat Rhel Tus
 
Red Hat Rhel Eus
 

Exploit Probability

EPSS
21.23%
Percentile
95.55%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.