CVE-2025-4404

Description

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

Reserved 2025-05-06 | Published 2025-06-17 | Updated 2025-06-17 | Assigner redhat

Problem types

Insufficient Granularity of Access Control

Product status

Default status
affected

0:4.12.2-15.el10_0.1 before *
unaffected

Default status
affected

0:4.6.8-5.el7_9.18 before *
unaffected

Default status
affected

8100020250603150652.143e9e98 before *
unaffected

Default status
affected

8100020250603134209.823393f5 before *
unaffected

Default status
affected

8020020250609031831.50ea30f9 before *
unaffected

Default status
affected

8020020250609030144.792f4060 before *
unaffected

Default status
affected

8040020250609101903.f153676a before *
unaffected

Default status
affected

8040020250609095221.5b01ab7e before *
unaffected

Default status
affected

8060020250606060927.c1533a64 before *
unaffected

Default status
affected

8060020250606060504.ada582f1 before *
unaffected

Default status
affected

8060020250606060927.c1533a64 before *
unaffected

Default status
affected

8060020250606060504.ada582f1 before *
unaffected

Default status
affected

8060020250606060927.c1533a64 before *
unaffected

Default status
affected

8060020250606060504.ada582f1 before *
unaffected

Default status
affected

8080020250604195510.e581a9e4 before *
unaffected

Default status
affected

8080020250604202433.b0a6ceea before *
unaffected

Default status
affected

8080020250604195510.e581a9e4 before *
unaffected

Default status
affected

8080020250604202433.b0a6ceea before *
unaffected

Default status
affected

0:4.12.2-14.el9_6.1 before *
unaffected

Default status
affected

0:4.9.8-11.el9_0.4 before *
unaffected

Default status
affected

0:4.10.1-12.el9_2.4 before *
unaffected

Default status
affected

0:4.11.0-15.el9_4.5 before *
unaffected

Default status
unknown

Timeline

2025-05-06:	Reported to Red Hat.
2025-06-17:	Made public.

Credits

Red Hat would like to thank Mikhail Sukhov (Positive Technologies) for reporting this issue.

References

access.redhat.com/errata/RHSA-2025:9184 (RHSA-2025:9184) vendor-advisory

access.redhat.com/errata/RHSA-2025:9185 (RHSA-2025:9185) vendor-advisory

access.redhat.com/errata/RHSA-2025:9186 (RHSA-2025:9186) vendor-advisory

access.redhat.com/errata/RHSA-2025:9187 (RHSA-2025:9187) vendor-advisory

access.redhat.com/errata/RHSA-2025:9188 (RHSA-2025:9188) vendor-advisory

access.redhat.com/errata/RHSA-2025:9189 (RHSA-2025:9189) vendor-advisory

access.redhat.com/errata/RHSA-2025:9190 (RHSA-2025:9190) vendor-advisory

access.redhat.com/errata/RHSA-2025:9191 (RHSA-2025:9191) vendor-advisory

access.redhat.com/errata/RHSA-2025:9192 (RHSA-2025:9192) vendor-advisory

access.redhat.com/errata/RHSA-2025:9193 (RHSA-2025:9193) vendor-advisory

access.redhat.com/errata/RHSA-2025:9194 (RHSA-2025:9194) vendor-advisory

access.redhat.com/security/cve/CVE-2025-4404 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2364606 (RHBZ#2364606) issue-tracking

cve.org (CVE-2025-4404)

nvd.nist.gov (CVE-2025-4404)

Download JSON