EUVD-2025-18495CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Description
A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
Analysis
Critical privilege escalation vulnerability in FreeIPA that allows authenticated users with high privileges to create Kerberos services with the same canonical name (krbCanonicalName) as the realm administrator, enabling them to obtain administrative credentials. The vulnerability affects FreeIPA default configurations where uniqueness validation is not enforced, allowing attackers to retrieve Kerberos tickets with admin@REALM credentials and perform unrestricted administrative operations. With a CVSS 9.1 score and network-accessible attack vector, this represents a severe threat to FreeIPA-based identity infrastructures, particularly in environments where service creation permissions are delegated or insufficiently restricted.
Technical Context
FreeIPA is an open-source identity management system built on LDAP, Kerberos, and DNS. The vulnerability stems from inadequate validation of the krbCanonicalName attribute, a critical identifier in Kerberos that uniquely identifies principals in the Key Distribution Center (KDC). CWE-1220 (Insufficient Granularity of Access Control) indicates the root cause: FreeIPA fails to enforce uniqueness constraints at the schema or application level, allowing duplicate canonical names across different service principals. The Kerberos protocol relies on canonical name uniqueness to ensure proper ticket issuance and validation; when an attacker creates a service with the admin's canonical name, the KDC may issue tickets bearing admin credentials to the attacker-controlled service. This is compounded by FreeIPA's default configuration not validating this constraint, making the issue present in standard deployments. The attack leverages the interaction between LDAP object creation (insufficient access control) and Kerberos ticket generation (canonical name collision).
Affected Products
FreeIPA all versions with default configuration that fails to validate krbCanonicalName uniqueness for the admin account. Specific affected configurations include: CPE entries for freeipa/freeipa (vendor: freeipa, product: freeipa) across versions where the uniqueness constraint is not enforced by default. The vulnerability primarily affects FreeIPA in standard enterprise deployments where LDAP schema constraints on krbCanonicalName are not explicitly configured. Red Hat deployments of FreeIPA (included in RHEL Identity Management) are affected. Version-specific patch information would be available in FreeIPA project advisories and Red Hat Security Advisories. The vulnerability is present in default configurations; hardened configurations with explicit LDAP schema constraints enforcing uniqueness may be partially mitigated.
Remediation
Immediate remediation steps: (1) Apply patches from FreeIPA upstream project addressing krbCanonicalName validation—patch versions should be released to enforce uniqueness constraints at the schema and application layer. (2) Contact Red Hat for RHEL Identity Management advisory patches (RHSA-* advisories). (3) Until patched, implement compensating controls: enforce LDAP schema constraints on krbCanonicalName uniqueness at the directory server level; restrict service creation permissions to trusted administrators only; audit existing services for duplicate canonical names and remove unauthorized entries. (4) Monitor FreeIPA upstream (freeipa.org) and Red Hat (access.redhat.com) for official patches. (5) Implement network segmentation restricting service creation requests to authorized administrative networks. (6) Enable Kerberos audit logging to detect unauthorized ticket requests for admin principals.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| trusty | needs-triage | - |
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| upstream | needs-triage | - |
| plucky | ignored | end of life, was needs-triage |
| oracular | ignored | end of life, was needs-triage |
| questing | needs-triage | - |
Debian
Bug #1108050| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm | vulnerable | 4.9.11-1 | - |
| trixie | fixed | 4.12.4-1 | - |
| forky, sid | fixed | 4.13.1-1 | - |
| (unstable) | fixed | 4.12.4-1 | unimportant |
Share
External POC / Exploit Code
Leaving vuln.today