CVE-2013-0199: Cross-Realm Trust key leak#
FreeIPA 3.0 introduced a Cross-Realm Kerberos trusts with Active Directory, a feature that allows IPA administrators to create a Kerberos trust with an AD. This allows IPA users to be able to access resources in AD trusted domains and vice versa.
When the Kerberos trust is created, an outgoing and incoming keys are stored in the IPA LDAP backend (in ipaNTTrustAuthIncoming and ipaNTTrustAuthOutgoing attributes). However, the IPA LDAP ACIs allow anonymous read acess to these attributes which could allow an unprivileged user to read the keys. With these keys an attacker could impersonate users and services of the opposite domain by crafting special Kerberos tickets.
All 3.x versions.
The vulnerability is present only if AD Trusts are enabled and a trust relationship is in place.
The bug was found by the FreeIPA team during an internal review.
Administrators are advise to change their ACIs to block the ipaNTTrustAuthIncoming and ipaNTTrustAuthOutgoing attributes from access from non administrative users.
Once the new ACIs are in place it is recommended to change the trust password. This can be accomplished by temporary deleting and then recreating the trust agreement between the two domains using tha ipa trust CLI commands.
A patch to resolve this issue is available through our git repository: http://git.fedorahosted.org/cgit/freeipa.git/commit/?id=d5966bde802d8ef84c202a3e7c85f17b9e305a30
Applying the patch prevents further access to keys but does NOT change the trust secret.