freeipa

Clone
Source Code
GIT

2e1132a kdb: fix vulnerability in GCD rules handling

3 files Authored by jrische 18 days ago, Committed by antorres 18 days ago,
raw patch tree parent
3 files changed. 136 lines added. 92 lines removed.
daemons/ipa-kdb/README.s4u2proxy.txt
file modified
+14 -5
daemons/ipa-kdb/ipa_kdb_delegation.c
file modified
+104 -87
doc/designs/rbcd.md
file modified
+18 -0 
    kdb: fix vulnerability in GCD rules handling
    
    The initial implementation of MS-SFU by MIT Kerberos was missing a
    condition for granting the "forwardable" flag on S4U2Self tickets.
    Fixing this mistake required adding special case for the
    check_allowed_to_delegate() function: if the target service argument is
    NULL, then it means the KDC is probing for general constrained
    delegation rules, not actually checking a specific S4U2Proxy request.
    
    In commit e86807b5, the behavior of ipadb_match_acl() was modified to
    match the changes from upstream MIT Kerberos a441fbe3. However, a
    mistake resulted in this mechanism to apply in cases where target
    service argument is set AND unset. This results in S4U2Proxy requests to
    be accepted regardless of the fact there is a matching service
    delegation rule or not.
    
    This vulnerability does not affect services having RBCD (resource-based
    constrained delegation) rules.
    
    This fixes CVE-2024-2698
    
    Signed-off-by: Julien Rische <jrische@redhat.com>
file modified
+14 -5
file modified
+104 -87
file modified
+18 -0
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.