Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAOGQQ28HCe9Kjo7U7K_4pa+Fm6wy_EEUo_Fn0VYde_LEnPVVVw@mail.gmail.com>
Date: Tue, 30 Sep 2025 12:04:48 -0300
From: Marco Benatto <mbenatto@...hat.com>
To: oss-security@...ts.openwall.com
Subject: FreeIPA - CVE-2025-7493 - Privilege Escalation from host to domain admin

Hello all,

please find the announcement of a Privilege Escalation vulnerability
in FreeIPA bellow.

Upstream release note:

https://www.freeipa.org/release-notes/4-12-5.html

==== Security Report ====

* CVE-2025-7493

Continuation of CVE-2025-4404 due to incomplete uniqueness checks for multiple
Kerberos attributes. In CVE-2025-4404 it was found that uniqueness of the
canonical Kerberos principal name and its aliases was not complete. We further
found that cross-attribute uniqueness was not possible to enforce in 389-ds
LDAP server. As a result, it was still possible to add an alias of 'root' to a
Kerberos service principal controlled by a system already enrolled into IPA.

In order to prevent further attacks on existing Kerberos principals and
aliases, 389-ds LDAP server uniqueness plugin was extended to allow
cross-attribute uniqueness checks with custom LDAP match rules. The 389-ds
upstream issue https://github.com/389ds/389-ds-base/issues/6857 was fixed in
all supported 389-ds releases. FreeIPA fix for CVE-2025-7493 relies on this
change.

Additionally, FreeIPA team has decided to apply a Kerberos policy of rejecting
any ticket that lacks PAC structure in the evidence tickets presented in
service ticket requests sent to IPA Kerberos KDC.

PAC structure in Kerberos tickets contains a number of individual buffers that
encode information about the Kerberos client principal available to Kerberos
KDC. The structure is cryptographically signed and also contains additional
signatures that can be validated by both KDC and the service that will receive
the ticket.

Since FreeIPA 4.9.0, new deployments always configured to associate security
identifier (SID) information with each IPA user account and use it to issue
PACs. Machines enrolled into IPA environment and their Kerberos services also
get associated well-known SIDs. This allows to issue and validate PAC
structures with information known about the client principal, whether they are
from IPA realm or are coming from the trusted Active Directory domains. MIT
Kerberos 1.20 or later also adds cryptographically signed information about the
Kerberos principal that was used to request a Kerberos ticket. This additional
information allows application services to prevent account spoofing. To date,
only SSSD has enabled automated PAC validation on the client side.

To help applications, CVE-2025-7493 fix is to reject ticket requests that ask
for a Kerberos service ticket with an evidence ticket that lacks PAC
structure. PAC structure content is already validated against the original
requester information.

The fix at the Kerberos KDC side cannot help in the environments where SIDs
aren't associated with the Kerberos principals and no PAC is issued at all. We
urge FreeIPA administrators to upgrade their deployments and enable use of SIDs
and PAC generation to prevent the attacks associated with identity spoofing
through the Kerberos protocol.

FreeIPA identity mapping is described in details in the following design page:
https://freeipa.readthedocs.io/en/latest/designs/id-mapping.html

Red Hat's knowledge base also has practical articles helping to enable SIDs for
existing IPA deployments:
- "POSIX IDs, SIDs and IDRanges in IPA ",
https://access.redhat.com/articles/7027037
- "When upgrading to RHEL9, IDM users are not able to login anymore.",
https://access.redhat.com/solutions/7014959

=====

Marco Benatto
Red Hat Product Security
secalert@...hat.com for urgent response

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.