Attackers could ‘take full control of the infrastructure’, warn researchers

Vulnerability in open source identity management system Free IPA could lead to XXE attacks

UPDATED A vulnerability in Free IPA could lead to XML external entity (XXE) attacks, researchers have warned.

FreeIPA is a free and open source identity management system and is the upstream project of Red Hat Identity Management.

A flaw, tracked as CVE-2022-2414, was found in the pki-core package, a security advisory from Red Hat warns.


Read more of the latest news about security vulnerabilities


“Access to external entities when parsing XML documents can lead to XML external entity attacks.

“This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests.”

XXE allows injecting arbitrary entities into an XML document and performing malicious actions such as local file reading or sending HTTP requests into an internal network.

The latter could lead to remote code execution (RCE) if there are unpatched applications inside an internal network.

High rating

The vulnerability, which has a severity rating of 7.5 (high), was discovered by researcher Egor Dimintrenko of security research team PT Swarm.

The security flaw takes place in the certification system, called DogTag, Dimitrenko told The Daily Swig.

“DogTag can be used as a PKI service for any project, but it’s well known as a part of FreeIPA system. Since DogTag is integrated into FreeIPA, FreeIPA is vulnerable if still unpatched,” he said.

“It’s also worth mentioning that main impact of the vulnerability is a risk of configuration file reading, which contains password for Directory Manager user,” Dimitrenko said.

“Directory Manager is a main entity in the application and control Directory Server. By compromising this user, an attacker is able to connect to directory server and read any high sensitive data like user credentials and then make a lateral movement in infrastructure.

“Particularly in FreeIPA this configuration file doesn’t contain a Directory Manager password by default, but in some cases it takes place, for example when an administrator change Directory Manager password.”

Patched

The vulnerability affects Red Hat Enterprise Linux 6-9 and Red Hat Certificate System 9 and 10.

Dimitrenko said that exploitation of the bug is “extremely simple” due to the fact that it doesn’t require any credentials and an attacker just has to find an accessible endpoint.

The vulnerability has been patched by Red Hat in all versions apart from Linux 6, which is out of scope. There are no known mitigations available and Red Hat urges users to update.

Dimitrenko commented: “It’s nice to see that there are many companies which support responsible disclosure and communicate with researchers, instead of ignoring them and hiding their problems.”

This article has been updated to include further comment.


YOU MAY ALSO LIKE Secure Open Source Rewards program launched to help protect critical upstream software