Bugzilla – Bug 1015556
VUL-0: CVE-2016-7030: freeipa: DoS attack against kerberized services by abusing password policy
Last modified: 2016-12-25 02:07:40 UTC
rh#1370493 A flaw was found that allows any unauthenticated party to easily run DoS attack against kerberized services in FreeIPA/IdM realm. FreeIPA contains MIT KDC as its main component + FreeIPA is using custom database driver for the KDC. As a side-effect of implementation, FreeIPA is enforcing password policies for all principals, including services which do not use "password" but keytab with randomly-generated/strong key. Default password policy locks an account after 5 unsuccessful authentication attempts for 10 minutes. An attacker can use this to simply lock-out any principal, including system services. References: https://bugzilla.redhat.com/show_bug.cgi?id=1370493 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7030
not on anz distro
bugbot adjusting priority
Merry Christmas! FreeIPA isn't currently distributed on Tumbleweed, and most probably won't be for a little while longer.