• Tech News
    • Games
    • Pc & Laptop
    • Mobile Tech
    • Ar & Vr
    • Security
  • Startup
    • Fintech
  • Reviews
  • How To
What's Hot

Elementor #32036

January 24, 2025

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

April 18, 2024

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

April 16, 2024
Facebook Twitter Instagram
  • Contact
  • Privacy Policy
  • Terms & Conditions
Facebook Twitter Instagram Pinterest VKontakte
Behind The ScreenBehind The Screen
  • Tech News
    1. Games
    2. Pc & Laptop
    3. Mobile Tech
    4. Ar & Vr
    5. Security
    6. View All

    Bring Elden Ring to the table with the upcoming board game adaptation

    September 19, 2022

    ONI: Road to be the Mightiest Oni reveals its opening movie

    September 19, 2022

    GTA 6 images and footage allegedly leak

    September 19, 2022

    Wild west adventure Card Cowboy turns cards into weird and silly stories

    September 18, 2022

    7 Reasons Why You Should Study PHP Programming Language

    October 19, 2022

    Logitech MX Master 3S and MX Keys Combo for Business Gen 2 Review

    October 9, 2022

    Lenovo ThinkPad X1 Carbon Gen10 Review

    September 18, 2022

    Lenovo IdeaPad 5i Chromebook, 16-inch+120Hz

    September 3, 2022

    It’s 2023 and Spotify Still Can’t Say When AirPlay 2 Support Will Arrive

    April 4, 2023

    YouTube adds very convenient iPhone homescreen widgets

    October 15, 2022

    Google finishes iOS 16 Lock Screen widgets rollout w/ Maps

    October 14, 2022

    Is Apple actually turning iMessage into AIM or is this sketchy redesign rumor for laughs?

    October 14, 2022

    MeetKai launches AI-powered metaverse, starting with a billboard in Times Square

    August 10, 2022

    The DeanBeat: RP1 simulates putting 4,000 people together in a single metaverse plaza

    August 10, 2022

    Improving the customer experience with virtual and augmented reality

    August 10, 2022

    Why the metaverse won’t fall to Clubhouse’s fate

    August 10, 2022

    How Apple privacy changes have forced social media marketing to evolve

    October 16, 2022

    Microsoft Patch Tuesday October Fixed 85 Vulnerabilities – Latest Hacking News

    October 16, 2022

    Decentralization and KYC compliance: Critical concepts in sovereign policy

    October 15, 2022

    What Thoma Bravo’s latest acquisition reveals about identity management

    October 14, 2022

    What is a Service Robot? The vision of an intelligent service application is possible.

    November 7, 2022

    Tom Brady just chucked another Microsoft Surface tablet

    September 18, 2022

    The best AIO coolers for your PC in 2022

    September 18, 2022

    YC’s Michael Seibel clarifies some misconceptions about the accelerator • DailyTech

    September 18, 2022
  • Startup
    • Fintech
  • Reviews
  • How To
Behind The ScreenBehind The Screen
Home»Security»Vulnerability In FreeIPA System Could Expose User Credentials
Security

Vulnerability In FreeIPA System Could Expose User Credentials

August 23, 2022No Comments3 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
Latest Hacking News
Share
Facebook Twitter LinkedIn Pinterest Email

A severe security vulnerability existed in the identity management system FreeIPA that would expose user credentials. Exploiting the vulnerability could allow an adversary to access sensitive data.

FreeIPA System Vulnerability

Security researcher Egor Dimitrenko from PT Swarm discovered a severe vulnerability in Free IPA that would allow external entity XML external entity (XXE) attacks.

FreeIPA is an open-source identity management system from Red Hat. It offers Free Identity, Policy, and Audit (IPA) features for Linux, Unix, Windows, and macOS systems.

According to Red Hat’s advisory, the vulnerability existed in the pki-core package, leading to XXE attacks. As stated,

A flaw was found in pki-core. Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks.

This vulnerability, CVE-2022-2414, received an important-severity rating with a CVSS score of 7.5. An adversary could exploit the bug to access arbitrary files by sending maliciously crafted HTTP requests.

In worst-case exploitations, such XXE attacks may also allow remote code execution.

Red Hat confirmed that this vulnerability affects Red Hat Enterprise Linux (RHEL) versions 6 to 10. Also, the flaw has no mitigations or workarounds. Nonetheless, they have quickly addressed the issue, releasing the patch with the updated pki-core packages for RHEL to 10, whereas RHEL 6 is out of scope.

Commenting more about the bug, Dimitrenko told The Daily Swig that exploiting the bug is trivial as it requires no credentials. Instead, an adversary merely needs an “accessible endpoint” to trigger the exploit.

Besides, elaborating on the vulnerable component DogTag – the certification system, the researcher said,

DogTag can be used as a PKI service for any project, but it’s well known as a part of FreeIPA system. Since DogTag is integrated into FreeIPA, FreeIPA is vulnerable if still unpatched.

Moreover, the researcher explained that real-world exploits of this issue could allow an attacker to read the Directory Manager password from the FreeIPA config. Thus, the attacker could take control of the entire targeted infrastructure.

🐳 Red Hat fixed an Unauth XXE (CVE-2022-2414) in FreeIPA found by our researcher @elk0kc.

In some cases, it allows attackers to read the Directory Manager password from the config of FreeIPA and take full control of the infrastructure.

Advisory: https://t.co/kDh7uEdO9j pic.twitter.com/Y1L13kq8HO

— PT SWARM (@ptswarm) August 17, 2022

To avoid any risks, mainly given that there are no workarounds, users must ensure updating their systems to the patched RHEL releases at the earliest.

See also  Xiaomi Phones TEE Vulnerability Allows Forged Mobile Payments

Let us know your thoughts in the comments.



Source link

credentials Expose FreeIPA System User Vulnerability
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

10 Key Rules To Improve Your Website’s User Experience

August 9, 2023

TP-Link Deco BE85 review: The first Wi-Fi 7 mesh system!

July 28, 2023

The Fight to Expose Corporations’ Real Impact on the Climate

March 25, 2023

The FAA NOTAM Outage Lays Bare an Essential System Everyone Hates

January 12, 2023
Add A Comment

Comments are closed.

Editors Picks

Samsung QE55S95B Review: 4K HDR OLED with Quantum Dot

September 1, 2022

Madrona Venture Labs spinout aims to take the pain out of insurance claims – Startup

September 28, 2022

Quest 2 Now Makes up the Majority of VR Headsets Used on Steam

August 8, 2022

Sonos Era 100 review

April 17, 2023

Subscribe to Updates

Get the latest news and Updates from Behind The Scene about Tech, Startup and more.

Top Post

Elementor #32036

The Redmi Note 13 is a bigger downgrade compared to the 5G model than you might think

Xiaomi Redmi Watch 4 is a budget smartwatch with a premium look and feel

Behind The Screen
Facebook Twitter Instagram Pinterest Vimeo YouTube
  • Contact
  • Privacy Policy
  • Terms & Conditions
© 2025 behindthescreen.uk - All rights reserved.

Type above and press Enter to search. Press Esc to cancel.