Login Sign Up

CVE-2024-3183

8.1 HIGH

📋 TL;DR

This FreeIPA vulnerability allows attackers who compromise a principal to obtain encrypted Kerberos tickets and salts, enabling offline brute-force attacks to recover passwords. It affects FreeIPA deployments using Kerberos authentication. The risk is particularly high for environments with weak password policies.

💻 Affected Systems

Products:
  • FreeIPA
Versions: All versions before 4.11.2, 4.10.7, 4.9.13
Operating Systems: Red Hat Enterprise Linux, CentOS, Fedora, Other Linux distributions with FreeIPA
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all FreeIPA deployments using Kerberos authentication. The vulnerability is in the core Kerberos ticket handling mechanism.

📦 What is this software?

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux Aus by Redhat

View all CVEs affecting Enterprise Linux Aus →

Enterprise Linux Aus by Redhat

View all CVEs affecting Enterprise Linux Aus →

Enterprise Linux Aus by Redhat

View all CVEs affecting Enterprise Linux Aus →

Enterprise Linux Eus by Redhat

View all CVEs affecting Enterprise Linux Eus →

Enterprise Linux Tus by Redhat

View all CVEs affecting Enterprise Linux Tus →

Enterprise Linux Tus by Redhat

View all CVEs affecting Enterprise Linux Tus →

Enterprise Linux Update Services For Sap Solutions by Redhat

View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →

Enterprise Linux Update Services For Sap Solutions by Redhat

View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete domain compromise through password recovery of multiple principals, leading to lateral movement and data exfiltration.

🟠

Likely Case

Targeted password cracking of specific high-value accounts after initial principal compromise.

🟢

If Mitigated

Limited impact due to strong password policies and monitoring preventing successful brute-force attacks.

🌐 Internet-Facing: MEDIUM - Requires initial principal compromise but could affect externally accessible FreeIPA services.
🏢 Internal Only: HIGH - Internal attackers with principal access can escalate privileges across the domain.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires initial compromise of a principal to obtain tickets and salts. Offline brute-force capability makes exploitation feasible with sufficient computing resources.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FreeIPA 4.11.2, 4.10.7, 4.9.13 or later

Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:3754

Restart Required: Yes

Instructions:

1. Update FreeIPA packages using your distribution's package manager. 2. Restart FreeIPA services. 3. For RHEL: 'yum update freeipa*' then 'systemctl restart ipa' services.

🔧 Temporary Workarounds

Enforce Strong Password Policies

linux

Implement complex password requirements to make brute-force attacks computationally infeasible.

ipa pwpolicy-mod --minlength=14 --minclasses=4 --maxfail=3 --failinterval=300 --lockouttime=900

Limit Principal Access

linux

Reduce attack surface by minimizing the number of principals and their privileges.

ipa user-find --pkey-only | xargs -I {} ipa user-show {} | grep -E 'User login|Enabled'

🧯 If You Can't Patch

  • Implement network segmentation to isolate FreeIPA servers and limit lateral movement
  • Deploy enhanced monitoring for unusual Kerberos ticket requests and brute-force attempts

🔍 How to Verify

Check if Vulnerable:

Check FreeIPA version: 'ipa --version' or 'rpm -q freeipa-server'. Versions below 4.11.2, 4.10.7, or 4.9.13 are vulnerable.

Check Version:

ipa --version

Verify Fix Applied:

Confirm updated version: 'ipa --version' should show 4.11.2, 4.10.7, 4.9.13 or higher. Verify services are running: 'systemctl status ipa'.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Kerberos TGS-REQ patterns
  • Multiple failed authentication attempts from single source
  • Unexpected principal access patterns

Network Indicators:

  • Abnormal Kerberos ticket request volumes
  • Traffic patterns suggesting offline brute-force preparation

SIEM Query:

source="freeipa" AND (event_type="authentication" AND result="failure") | stats count by src_ip, user | where count > 10

📊 Metadata

CVE ID: CVE-2024-3183
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-916
Published: June 12, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3183, you might also want to check these:

CVE-2020-14516 10.0

CVE-2020-14516 is a critical authentication bypass vulnerability in Rockwell Automation FactoryTalk ...

Same vulnerability type (CWE-916)
CVE-2021-32519 9.8

This vulnerability allows remote attackers to recover plain-text passwords by brute-forcing weak MD5...

Same vulnerability type (CWE-916)
CVE-2024-5743 9.8

This vulnerability in EveHome Eve Play allows attackers to exploit weak password hashing to execute ...

Same vulnerability type (CWE-916)