|
| 1 | +FreeIPA 4.12.4 |
| 2 | +============== |
| 3 | + |
| 4 | +.. raw:: mediawiki |
| 5 | +
|
| 6 | + {{ReleaseDate|2025-06-17}} |
| 7 | +
|
| 8 | +The FreeIPA team would like to announce FreeIPA 4.12.4 release! |
| 9 | + |
| 10 | +It can be downloaded from http://www.freeipa.org/page/Downloads. Builds |
| 11 | +for Fedora distributions will be available from the official repository |
| 12 | +soon. |
| 13 | + |
| 14 | +.. _highlights_in_versions: |
| 15 | + |
| 16 | +Highlights in 4.12.4 |
| 17 | +------------------------- |
| 18 | + |
| 19 | +- CVE-2025-4404 |
| 20 | + |
| 21 | +In 2020 the FreeIPA team implemented an enforcement to prevent a local |
| 22 | +account takeover on IPA-enrolled clients by aliasing the 'root' account |
| 23 | +to the 'admin' Kerberos principal so that only administrators can |
| 24 | +request a Kerberos ticket for the 'root' alias. This type of attack was |
| 25 | +later discovered in Active Directory as well by Samba Team and dubbed |
| 26 | +'Dollar ticket attack' |
| 27 | +(https://wiki.samba.org/index.php/Security/Dollar_Ticket_Attack). |
| 28 | + |
| 29 | +The FreeIPA Kerberos implementation enforces uniqueness across Kerberos |
| 30 | +principals to ensure that a canonical Kerberos principal name and its |
| 31 | +aliases cannot be assigned twice to different accounts. Newly created |
| 32 | +user accounts, host machine accounts, and Kerberos service accounts will |
| 33 | +always have the canonical Kerberos principal name also set as an alias |
| 34 | +for the same account. |
| 35 | + |
| 36 | +However, as a part of the change in |
| 37 | +https://pagure.io/freeipa/issue/8326, there was no additional |
| 38 | +enforcement of the canonical Kerberos principal name for a pre-defined |
| 39 | +'admin' account. This allowed another authenticated Kerberos principal |
| 40 | +with privileges to add Kerberos principal aliases to create a canonical |
| 41 | +name for a controlled service that matched the 'admin' account. With |
| 42 | +additional Kerberos client-side manipulation it became possible to trick |
| 43 | +a service application into accepting such a ticket as an 'admin'. |
| 44 | + |
| 45 | +It is not possible to escalate this attack through IPA API due to |
| 46 | +certain Kerberos protocol extensions enforcement in IPA API endpoint. |
| 47 | +However, there is a possibility to trick an IPA LDAP server into it |
| 48 | +directly once a broken configuration was introduced into the IPA |
| 49 | +deployment. |
| 50 | + |
| 51 | +The fix for CVE-2025-4404 is to enforce the 'admin' account's canonical |
| 52 | +Kerberos principal name. Additionally, an upgrade code looks at possible |
| 53 | +compromised Kerberos entries and removes 'admin' account aliases from |
| 54 | +those entries. |
| 55 | + |
| 56 | +We would like to express our gratitude to Mikhail Sukhov (Positive |
| 57 | +Technologies) for discovering this vulnerability and reporting it to Red |
| 58 | +Hat Product Security team and the FreeIPA project. |
| 59 | + |
| 60 | +Enhancements |
| 61 | +~~~~~~~~~~~~ |
| 62 | + |
| 63 | +.. _known_issues: |
| 64 | + |
| 65 | +Known Issues |
| 66 | +~~~~~~~~~~~~ |
| 67 | + |
| 68 | +.. _bug_fixes: |
| 69 | + |
| 70 | +Bug fixes |
| 71 | +~~~~~~~~~ |
| 72 | + |
| 73 | +FreeIPA 4.12.4 is a security fix release. |
| 74 | + |
| 75 | +Details of the bug-fixes can be seen in the list of resolved tickets |
| 76 | +below. |
| 77 | + |
| 78 | +Upgrading |
| 79 | +--------- |
| 80 | + |
| 81 | +Upgrade instructions are available on |
| 82 | +`Upgrade <https://www.freeipa.org/page/Upgrade>`__ page. |
| 83 | + |
| 84 | +Feedback |
| 85 | +-------- |
| 86 | + |
| 87 | +Please provide comments, bugs and other feedback via the freeipa-users |
| 88 | +mailing list |
| 89 | +(https://lists.fedoraproject.org/archives/list/ [email protected]/) |
| 90 | +or #freeipa channel on libera.chat. |
| 91 | + |
| 92 | +Resolved tickets |
| 93 | +---------------- |
| 94 | + |
| 95 | +- `#9777 <https://pagure.io/freeipa/issue/9777>`__ kdb: |
| 96 | + ipadb_get_connection() succeeds but returns null LDAP context |
| 97 | + |
| 98 | +.. _detailed_changelog_since_4.12.3: |
| 99 | + |
| 100 | +Detailed changelog since 4.12.3 |
| 101 | +------------------------------- |
| 102 | + |
| 103 | +.. _antonio_torres_1: |
| 104 | + |
| 105 | +Antonio Torres (1) |
| 106 | +~~~~~~~~~~~~~~~~~~ |
| 107 | + |
| 108 | +- Become IPA 4.12.4 |
| 109 | + `commit <https://pagure.io/freeipa/c/f2fc367fb00193a8ca8a1f22786fccd6b0024dac>`__ |
| 110 | + |
| 111 | +.. _julien_rische_1: |
| 112 | + |
| 113 | +Julien Rische (1) |
| 114 | +~~~~~~~~~~~~~~~~~ |
| 115 | + |
| 116 | +- kdb: keep ipadb_get_connection() from succeeding with null LDAP |
| 117 | + context |
| 118 | + `commit <https://pagure.io/freeipa/c/6ae52a2fb451bbe57a4f0c584e14bca0274b85e8>`__ |
| 119 | + `#9777 <https://pagure.io/freeipa/issue/9777>`__ |
| 120 | + |
| 121 | +.. _rob_crittenden_1: |
| 122 | + |
| 123 | +Rob Crittenden (1) |
| 124 | +~~~~~~~~~~~~~~~~~~ |
| 125 | + |
| 126 | +- Set krbCanonicalName=admin@REALM on the admin user |
| 127 | + `commit <https://pagure.io/freeipa/c/e8c410ae5f7cdd36fecba66713ca94bd47465122>`__ |
0 commit comments