Mikhail Sukhov

**Name of the Vulnerable Software and Affected Versions** FreeIPA (affected versions not specified) **Description** A privilege escalation from host to domain issue was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeIPA versions prior to 4.12.2 **Description** A vulnerability was found in FreeIPA where a Kerberos TGS-REQ is encrypted using the client's session key. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user's password. If a principal is compromised, an attacker could retrieve tickets encrypted to any principal and run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt, potentially finding the principal's password. **Recommendations** Update to FreeIPA version 4.12.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Kerberos TGS-REQ encryption process to minimize the risk of exploitation. Additionally, ensure that all user passwords are complex and unique to prevent brute force attacks.