Vulnerability in Free IPA Open Source Identity Management System Could Lead to XXE Attacks

0

Jessica Haworth Aug 18, 2022 at 15:38 UTC

Updated: September 05, 2022 at 10:32 UTC

Attackers could ‘take full control of the infrastructure’, researchers warn

UPDATED A vulnerability in Free IPA could lead to XML External Entity (XXE) attacks, researchers have warned.

FreeIPA is a free and open source identity management system and is the upstream project of Red Hat Identity Management.

A flaw, identified as CVE-2022-2414, has been found in the package, warns a security advisory from Red Hat.

Learn about the latest security vulnerabilities news

“Accessing external entities while parsing XML documents can lead to XML external entity attacks.

“This flaw allows a remote attacker to potentially retrieve the contents of arbitrary files by sending specially crafted HTTP requests.”

XXE allows injecting arbitrary entities into an XML document and performing malicious actions such as reading local files or sending HTTP requests in an internal network.

The latter could lead to Remote Code Execution (RCE) if there are unpatched applications inside an internal network.

High score

The vulnerability, which has a severity rating of 7.5 (high), was discovered by researcher Egor Dimintrenko from the PT Swarm security research team.

The security flaw is in the certification system, called DogTag, Dimitrenko said The daily sip.

“DogTag can be used as a PKI service for any project, but it’s well known as part of the FreeIPA system. Since DogTag is built into FreeIPA, FreeIPA is vulnerable if still not patched,” he said.

“It should also be mentioned that the main impact of the vulnerability is a risk of reading the configuration file, which contains the password for the Directory Manager user,” Dimitrenko said.

“Directory Manager is a primary entity within the Directory Server application and controls. By compromising this user, an attacker can connect to the directory server and read all highly sensitive data such as user credentials and then perform a lateral movement through the infrastructure.

“Especially in FreeIPA, this config file does not contain a default Directory Manager password, but in some cases it happens, for example when an administrator changes the Directory Manager password.”

patched

The vulnerability affects Red Hat Enterprise Linux 6-9 and Red Hat Certificate System 9 and 10.

Dimitrenko said exploiting the bug is “extremely simple” due to the fact that it requires no credentials and an attacker only needs to find an accessible endpoint.

The vulnerability has been patched by Red Hat in all versions except Linux 6, which is out of scope. No known mitigations are available and Red Hat urges users to update.

Dimitrenko commented, “It’s nice to see that there are many companies that support responsible disclosure and communicate with researchers, instead of ignoring them and hiding their issues.”

This article has been updated to include additional comments.

YOU MIGHT ALSO LIKE Launched Secure Open Source Rewards program to help protect critical upstream software

Share.

Comments are closed.