CVE-2024-2698

{"id": "CVE-2024-2698", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-06-12T08:15:50.250", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:3754", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:3755", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:3757", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2024:3759", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2024-2698", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270353", "tags": ["Issue Tracking", "Mitigation", "Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://www.freeipa.org/release-notes/4-12-1.html", "tags": ["Release Notes"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the \"forwardable\" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the check_allowed_to_delegate() function: If the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules and not checking a specific S4U2Proxy request.\r\n\r\nIn FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos 1.20. However, a mistake resulting in this mechanism applies in cases where the target service argument is set AND where it is unset. This results in S4U2Proxy requests being accepted regardless of whether or not there is a matching service delegation rule."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en FreeIPA en la que a la implementaci\u00f3n inicial de MS-SFU por parte de MIT Kerberos le faltaba una condici\u00f3n para otorgar el indicador \"reenviable\" en los tickets S4U2Self. Para corregir este error fue necesario agregar un caso especial para la funci\u00f3n check_allowed_to_delegate(): si el argumento del servicio de destino es NULL, entonces significa que el KDC est\u00e1 investigando reglas generales de delegaci\u00f3n restringida y no verificando una solicitud S4U2Proxy espec\u00edfica. En FreeIPA 4.11.0, el comportamiento de ipadb_match_acl() se modific\u00f3 para que coincida con los cambios del MIT Kerberos 1.20. Sin embargo, un error que resulta en este mecanismo se aplica en los casos en los que el argumento del servicio de destino est\u00e1 establecido Y donde no est\u00e1 establecido. Esto da como resultado que las solicitudes S4U2Proxy se acepten independientemente de si existe o no una regla de delegaci\u00f3n de servicios coincidente."}], "lastModified": "2024-10-02T15:15:14.603", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:freeipa:freeipa:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83FB5CBD-9BCC-46AB-84F9-2848C185E23E", "versionEndExcluding": "4.11.2", "versionStartIncluding": "4.11.0"}, {"criteria": "cpe:2.3:a:freeipa:freeipa:4.12.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4F054F46-E717-43C4-BCA6-A0F12F81C670"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.8:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "62C31522-0A17-4025-B269-855C7F4B45C2"}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:9.2:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3C74F6FA-FA6C-4648-9079-91446E45EE47"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "secalert@redhat.com"}