ALT-PU-2025-8155-2
Closed vulnerabilities
Published: 2025-06-17
Modified: 2025-07-29
Modified: 2025-07-29
CVE-2025-4404
A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
Severity: CRITICAL (9.1)
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References:
- https://access.redhat.com/errata/RHSA-2025:9184
- https://access.redhat.com/errata/RHSA-2025:9185
- https://access.redhat.com/errata/RHSA-2025:9186
- https://access.redhat.com/errata/RHSA-2025:9187
- https://access.redhat.com/errata/RHSA-2025:9188
- https://access.redhat.com/errata/RHSA-2025:9189
- https://access.redhat.com/errata/RHSA-2025:9190
- https://access.redhat.com/errata/RHSA-2025:9191
- https://access.redhat.com/errata/RHSA-2025:9192
- https://access.redhat.com/errata/RHSA-2025:9193
- https://access.redhat.com/errata/RHSA-2025:9194
- https://access.redhat.com/security/cve/CVE-2025-4404
- https://bugzilla.redhat.com/show_bug.cgi?id=2364606
- https://pagure.io/freeipa/c/6b9400c135ed16b10057b350cc9ce42aa0e862d4
- https://pagure.io/freeipa/c/796ed20092d554ee0c9e23295e346ec1e8a0bf6e