FreeIPA 4.x with API version 2.213 allows a remote authenticated users to bypass intended account-locking restrictions via an unlock action with an old session ID (for the same user account) that had been created for an earlier session. NOTE: Vendor states that issue does not exist in product and does not recognize this report as a valid security concern
Weakness
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Freeipa | Freeipa | 4.0.0 (including) | 4.0.0 (including) |
| Freeipa | Freeipa | 4.0.1 (including) | 4.0.1 (including) |
| Freeipa | Freeipa | 4.0.2 (including) | 4.0.2 (including) |
| Freeipa | Freeipa | 4.0.3 (including) | 4.0.3 (including) |
| Freeipa | Freeipa | 4.0.4 (including) | 4.0.4 (including) |
| Freeipa | Freeipa | 4.0.5 (including) | 4.0.5 (including) |
| Freeipa | Freeipa | 4.1.0 (including) | 4.1.0 (including) |
| Freeipa | Freeipa | 4.1.1 (including) | 4.1.1 (including) |
| Freeipa | Freeipa | 4.1.2 (including) | 4.1.2 (including) |
| Freeipa | Freeipa | 4.1.3 (including) | 4.1.3 (including) |
| Freeipa | Freeipa | 4.1.4 (including) | 4.1.4 (including) |
| Freeipa | Freeipa | 4.2.0 (including) | 4.2.0 (including) |
| Freeipa | Freeipa | 4.2.1 (including) | 4.2.1 (including) |
| Freeipa | Freeipa | 4.2.2 (including) | 4.2.2 (including) |
| Freeipa | Freeipa | 4.2.3 (including) | 4.2.3 (including) |
| Freeipa | Freeipa | 4.2.4 (including) | 4.2.4 (including) |
| Freeipa | Freeipa | 4.3.0 (including) | 4.3.0 (including) |
| Freeipa | Freeipa | 4.3.1 (including) | 4.3.1 (including) |
| Freeipa | Freeipa | 4.3.2 (including) | 4.3.2 (including) |
| Freeipa | Freeipa | 4.3.3 (including) | 4.3.3 (including) |
| Freeipa | Freeipa | 4.4.0 (including) | 4.4.0 (including) |
| Freeipa | Freeipa | 4.4.1 (including) | 4.4.1 (including) |
| Freeipa | Freeipa | 4.4.2 (including) | 4.4.2 (including) |
| Freeipa | Freeipa | 4.4.3 (including) | 4.4.3 (including) |
| Freeipa | Freeipa | 4.4.4 (including) | 4.4.4 (including) |
| Freeipa | Freeipa | 4.5.0 (including) | 4.5.0 (including) |
| Freeipa | Freeipa | 4.5.1 (including) | 4.5.1 (including) |
| Freeipa | Freeipa | 4.5.2 (including) | 4.5.2 (including) |
| Freeipa | Freeipa | 4.5.3 (including) | 4.5.3 (including) |
| Freeipa | Freeipa | 4.6.0 (including) | 4.6.0 (including) |
| Freeipa | Freeipa | 4.6.1 (including) | 4.6.1 (including) |
| Freeipa | Ubuntu | artful | * |
| Freeipa | Ubuntu | bionic | * |
| Freeipa | Ubuntu | cosmic | * |
| Freeipa | Ubuntu | disco | * |
| Freeipa | Ubuntu | eoan | * |
| Freeipa | Ubuntu | groovy | * |
| Freeipa | Ubuntu | hirsute | * |
| Freeipa | Ubuntu | impish | * |
| Freeipa | Ubuntu | kinetic | * |
| Freeipa | Ubuntu | lunar | * |
| Freeipa | Ubuntu | mantic | * |
| Freeipa | Ubuntu | trusty | * |
| Freeipa | Ubuntu | xenial | * |
| Freeipa | Ubuntu | zesty | * |
Extended Description
Such a scenario is commonly observed when:
In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server using that session identifier, giving the attacker access to the user’s account through the active session.
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/196.html
- https://cwe.mitre.org/data/definitions/21.html
- https://cwe.mitre.org/data/definitions/31.html
- https://cwe.mitre.org/data/definitions/39.html
- https://cwe.mitre.org/data/definitions/59.html
- https://cwe.mitre.org/data/definitions/60.html
- https://cwe.mitre.org/data/definitions/61.html