Bug 1015556 - (CVE-2016-7030) VUL-0: CVE-2016-7030: freeipa: DoS attack against kerberized services by abusing password policy
VUL-0: CVE-2016-7030: freeipa: DoS attack against kerberized services by abus...
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Other
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Howard Guo
E-mail List
Depends on:
  Show dependency treegraph
Reported: 2016-12-14 14:44 UTC by Marcus Meissner
Modified: 2016-12-25 02:07 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-12-14 14:44:31 UTC

A flaw was found that allows any unauthenticated party to easily run DoS attack against kerberized services in FreeIPA/IdM realm.

FreeIPA contains MIT KDC as its main component + FreeIPA is using custom database driver for the KDC. As a side-effect of implementation, FreeIPA is enforcing password policies for all principals, including services which do not use "password" but keytab with randomly-generated/strong key.

Default password policy locks an account after 5 unsuccessful authentication attempts for 10 minutes. An attacker can use this to simply lock-out any principal, including system services.

Comment 1 Marcus Meissner 2016-12-14 14:49:47 UTC
not on anz distro
Comment 2 Swamp Workflow Management 2016-12-14 23:03:17 UTC
bugbot adjusting priority
Comment 3 Howard Guo 2016-12-25 02:07:40 UTC
Merry Christmas!

FreeIPA isn't currently distributed on Tumbleweed, and most probably won't be for a little while longer.