The FreeIPA team would like to announce FreeIPA 4.9.14 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.9.14#
During community penetration testing it was found that for certain HTTP end-points FreeIPA does not ensure CSRF protection. Due to implementation details one cannot use this flaw for reflection of a cookie representing already logged-in user. An attacker would always have to go through a new authentication attempt.
The overall severity of this issue is marked as MODERATE by Red Hat Product Security. FreeIPA team would like to thank Egor Uvarov for discovering and reporting this issue.
Bronze-bit (CVE-2020-17049) mitigation
The Centos 8 Stream/RHEL 8 version of FreeIPA is vulnerable to the Bronze-bit attack (CVE-2020-17049) because MIT Kerberos 1.18 does not implement PAC ticket signature to protect the “forwardable” flag. However, it does implement the PAC extended KDC signature, which protects against PAC spoofing. Based on information available in the PAC and the “ok-to-auth-as-delegate” attribute in the IPA database, it is possible to detect and reject requests where the “forwardable” flag was flipped by the attacker in the evidence ticket.
In order to mitigate Bronze-Bit attack, FreeIPA 4.9.14 implements the logic above through a post-issue TGS request check in Kerberos KDC which is available in MIT Kerberos 1.18. FreeIPA versions compiled against MIT Kerberos 1.20 or later already have proper Bronze-bit mitigation.
FreeIPA 4.9.14 is a security fix release.
Details of the bug-fixes can be seen in the list of resolved tickets below.
Upgrade instructions are available on Upgrade page.
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://email@example.com/) or #freeipa channel on libera.chat.
Detailed changelog since 4.9.13#
Antonio Torres (1)#
Become IPA 4.9.14 commit
Julien Rische (1)#
ipa-kdb: Detect and block Bronze-Bit attacks commit