A severe security vulnerability existed in the identity management system FreeIPA that would expose user credentials. Exploiting the vulnerability could allow an adversary to access sensitive data.
FreeIPA System Vulnerability
Security researcher Egor Dimitrenko from PT Swarm discovered a severe vulnerability in Free IPA that would allow external entity XML external entity (XXE) attacks.
FreeIPA is an open-source identity management system from Red Hat. It offers Free Identity, Policy, and Audit (IPA) features for Linux, Unix, Windows, and macOS systems.
According to Red Hat’s advisory, the vulnerability existed in the pki-core package, leading to XXE attacks. As stated,
A flaw was found in pki-core. Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks.
This vulnerability, CVE-2022-2414, received an important-severity rating with a CVSS score of 7.5. An adversary could exploit the bug to access arbitrary files by sending maliciously crafted HTTP requests.
In worst-case exploitations, such XXE attacks may also allow remote code execution.
Red Hat confirmed that this vulnerability affects Red Hat Enterprise Linux (RHEL) versions 6 to 10. Also, the flaw has no mitigations or workarounds. Nonetheless, they have quickly addressed the issue, releasing the patch with the updated pki-core packages for RHEL to 10, whereas RHEL 6 is out of scope.
Commenting more about the bug, Dimitrenko told The Daily Swig that exploiting the bug is trivial as it requires no credentials. Instead, an adversary merely needs an “accessible endpoint” to trigger the exploit.
Besides, elaborating on the vulnerable component DogTag – the certification system, the researcher said,
DogTag can be used as a PKI service for any project, but it’s well known as a part of FreeIPA system. Since DogTag is integrated into FreeIPA, FreeIPA is vulnerable if still unpatched.
Moreover, the researcher explained that real-world exploits of this issue could allow an attacker to read the Directory Manager password from the FreeIPA config. Thus, the attacker could take control of the entire targeted infrastructure.
🐳 Red Hat fixed an Unauth XXE (CVE-2022-2414) in FreeIPA found by our researcher @elk0kc.
In some cases, it allows attackers to read the Directory Manager password from the config of FreeIPA and take full control of the infrastructure.
Advisory: https://t.co/kDh7uEdO9j pic.twitter.com/Y1L13kq8HO
— PT SWARM (@ptswarm) August 17, 2022
To avoid any risks, mainly given that there are no workarounds, users must ensure updating their systems to the patched RHEL releases at the earliest.
Let us know your thoughts in the comments.