CVE-2024-2698: 
NixOS vulnerability analysis and mitigation

CVE-2024-2698 is a security vulnerability discovered in FreeIPA affecting versions from 4.11.0 up to (excluding) 4.11.2 and version 4.12.0. The vulnerability was discovered by Josh Whiteside and relates to how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the 'forwardable' flag on S4U2Self tickets (FreeIPA Release Notes).

The vulnerability stems from a modification in FreeIPA 4.11.0's ipadbmatchacl() behavior to match changes from upstream MIT Kerberos 1.20. A mistake in implementation caused the mechanism to apply in cases where the target service argument is both set AND unset, resulting in S4U2Proxy requests being accepted regardless of whether there is a matching service delegation rule (FreeIPA Release Notes). The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows an attacker, after compromising a service that is a proxy in at least one delegation rule, to impersonate any user against any service that is not a target service in one of its delegation rules. For example, if an attacker compromises a server with a delegation rule to an NFS server, they could impersonate a domain administrator against a FreeIPA server, potentially compromising the entire domain. However, default FreeIPA deployments are not affected as services with delegation rules are on IPA servers themselves (FreeIPA Release Notes, Bugzilla).

The vulnerability has been fixed in FreeIPA versions 4.11.2 and 4.12.1. Red Hat has released security updates for affected versions through multiple security advisories including RHSA-2024:3754, RHSA-2024:3755, RHSA-2024:3757, and RHSA-2024:3759 (Red Hat Security).