| Package | freeipa |
|---|---|
| Version | 4.7.2-3+deb10u2 (buster) |
| Related CVEs | CVE-2019-10195 CVE-2019-14867 CVE-2023-5455 CVE-2024-3183 CVE-2024-11029 CVE-2025-4404 |
FreeIPA, an integrated security information management solution designed for Linux and Unix environments, was affected by multiple vulnerabilities.
CVE-2019-10195
FreeIPA's batch processing API logged operations, including user passwords in clear text on FreeIPA masters.
Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA
but is possible by third-party components. An attacker having access to system logs on FreeIPA masters
could use this flaw to produce log file content with passwords exposed.
CVE-2019-14867
A flaw was found in FreeIPA in the way the internal function ber_scanf() was used in some components,
which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal
key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed
on the server hosting the IPA server.
CVE-2024-3183
A flaw was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key.
This key is different for each new session, which protects it from brute force attacks. However,
the ticket it contains is encrypted using the target principal key directly. For user principals,
this key is a hash of a public per-principal randomly-generated salt and the user’s password.
If a principal is compromised it means the attacker would be able to retrieve tickets encrypted
to any principal, all of them being encrypted by their own key directly.
By taking these tickets and salts offline, the attacker could run brute force attacks to
find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password).
CVE-2024-11029
A flaw was found in the FreeIPA API audit, where it sends the whole FreeIPA command line to journalctl.
As a consequence, during the FreeIPA installation process, it inadvertently leaks the administrative
user credentials, including the administrator password, to the journal database. In the worst-case scenario,
where the journal log is centralized, users with access to it can have improper access to the FreeIPA administrator credentials.
CVE-2025-4404
A privilege escalation from host to domain vulnerability was found in the FreeIPA project.
The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin
account by default, allowing users to create services with the same canonical name as the REALM admin.
When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service,
containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over
the REALM, leading to access to sensitive data and sensitive data exfiltration.
For Debian 10 buster, these problems have been fixed in version 4.7.2-3+deb10u2.
We recommend that you upgrade your freeipa packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.