FreeIPA 4.12.4#
The FreeIPA team would like to announce FreeIPA 4.12.4 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.12.4#
CVE-2025-4404
In 2020 the FreeIPA team implemented an enforcement to prevent a local account takeover on IPA-enrolled clients by aliasing the ‘root’ account to the ‘admin’ Kerberos principal so that only administrators can request a Kerberos ticket for the ‘root’ alias. This type of attack was later discovered in Active Directory as well by Samba Team and dubbed ‘Dollar ticket attack’ (https://wiki.samba.org/index.php/Security/Dollar_Ticket_Attack).
The FreeIPA Kerberos implementation enforces uniqueness across Kerberos principals to ensure that a canonical Kerberos principal name and its aliases cannot be assigned twice to different accounts. Newly created user accounts, host machine accounts, and Kerberos service accounts will always have the canonical Kerberos principal name also set as an alias for the same account.
However, as a part of the change in https://pagure.io/freeipa/issue/8326, there was no additional enforcement of the canonical Kerberos principal name for a pre-defined ‘admin’ account. This allowed another authenticated Kerberos principal with privileges to add Kerberos principal aliases to create a canonical name for a controlled service that matched the ‘admin’ account. With additional Kerberos client-side manipulation it became possible to trick a service application into accepting such a ticket as an ‘admin’.
It is not possible to escalate this attack through IPA API due to certain Kerberos protocol extensions enforcement in IPA API endpoint. However, there is a possibility to trick an IPA LDAP server into it directly once a broken configuration was introduced into the IPA deployment.
The fix for CVE-2025-4404 is to enforce the ‘admin’ account’s canonical Kerberos principal name. Additionally, an upgrade code looks at possible compromised Kerberos entries and removes ‘admin’ account aliases from those entries.
We would like to express our gratitude to Mikhail Sukhov (Positive Technologies) for discovering this vulnerability and reporting it to Red Hat Product Security team and the FreeIPA project.
Enhancements#
Known Issues#
Bug fixes#
FreeIPA 4.12.4 is a security fix release.
Details of the bug-fixes can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.
Resolved tickets#
#9777 kdb: ipadb_get_connection() succeeds but returns null LDAP context
Detailed changelog since 4.12.3#
Antonio Torres (1)#
Become IPA 4.12.4 commit
Julien Rische (1)#
Rob Crittenden (1)#
Set krbCanonicalName=admin@REALM on the admin user commit