CVE-2025-4404 PUBLISHED

Freeipa: idm: privilege escalation from host to domain admin in freeipa

Assigner: redhat
Reserved: 06.05.2025 Published: 17.06.2025 Updated: 17.06.2025

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the krbCanonicalName for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat Enterprise Linux 10
Versions	Default: affected unaffected from 0:4.12.2-15.el10_0.1 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 7 Extended Lifecycle Support
Versions	Default: affected unaffected from 0:4.6.8-5.el7_9.18 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8
Versions	Default: affected unaffected from 8100020250603150652.143e9e98 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8
Versions	Default: affected unaffected from 8100020250603134209.823393f5 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.2 Advanced Update Support
Versions	Default: affected unaffected from 8020020250609031831.50ea30f9 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.2 Advanced Update Support
Versions	Default: affected unaffected from 8020020250609030144.792f4060 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
Versions	Default: affected unaffected from 8040020250609101903.f153676a to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
Versions	Default: affected unaffected from 8040020250609095221.5b01ab7e to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
Versions	Default: affected unaffected from 8060020250606060927.c1533a64 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
Versions	Default: affected unaffected from 8060020250606060504.ada582f1 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.6 Telecommunications Update Service
Versions	Default: affected unaffected from 8060020250606060927.c1533a64 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.6 Telecommunications Update Service
Versions	Default: affected unaffected from 8060020250606060504.ada582f1 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
Versions	Default: affected unaffected from 8060020250606060927.c1533a64 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
Versions	Default: affected unaffected from 8060020250606060504.ada582f1 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.8 Telecommunications Update Service
Versions	Default: affected unaffected from 8080020250604195510.e581a9e4 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.8 Telecommunications Update Service
Versions	Default: affected unaffected from 8080020250604202433.b0a6ceea to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
Versions	Default: affected unaffected from 8080020250604195510.e581a9e4 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
Versions	Default: affected unaffected from 8080020250604202433.b0a6ceea to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9
Versions	Default: affected unaffected from 0:4.12.2-14.el9_6.1 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
Versions	Default: affected unaffected from 0:4.9.8-11.el9_0.4 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
Versions	Default: affected unaffected from 0:4.10.1-12.el9_2.4 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9.4 Extended Update Support
Versions	Default: affected unaffected from 0:4.11.0-15.el9_4.5 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 6
Versions	Default: unknown

Workarounds

No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.

Credits

Red Hat would like to thank Mikhail Sukhov (Positive Technologies) for reporting this issue.

References

Problem Types

Insufficient Granularity of Access Control CWE