Josh Whiteside

**Name of the Vulnerable Software and Affected Versions** FreeIPA versions 4.11.0 **Description** A vulnerability was found in FreeIPA related to the initial implementation of MS-SFU by MIT Kerberos, which was missing a condition for granting the "forwardable" flag on S4U2Self tickets. This issue resulted from a mistake in the check allowed to delegate() function, where a special case was needed to handle the target service argument being NULL, indicating the KDC is probing for general constrained delegation rules. In FreeIPA 4.11.0, the behavior of ipadb match acl() was modified to match changes from upstream MIT Kerberos 1.20, but a mistake caused this mechanism to apply in cases where the target service argument is both set and unset, leading to S4U2Proxy requests being accepted regardless of whether there is a matching service delegation rule. **Recommendations** For FreeIPA version 4.11.0, consider adding a special case for the check allowed to delegate() function to correctly handle the target service argument being NULL, ensuring that S4U2Proxy requests are only accepted when there is a matching service delegation rule. As a temporary workaround, consider restricting the use of the ipadb match acl() function to minimize the risk of exploitation until a patch is available.