|
|
| |
|
| |
ipa: authentication bypass
| Package(s): | ipa |
CVE #(s): | CVE-2012-5484
|
| Created: | January 24, 2013 |
Updated: | February 25, 2013 |
| Description: |
From the Red Hat advisory:
A weakness was found in the way IPA clients communicated with IPA servers
when initially attempting to join IPA domains. As there was no secure way
to provide the IPA server's Certificate Authority (CA) certificate to the
client during a join, the IPA client enrollment process was susceptible to
man-in-the-middle attacks. This flaw could allow an attacker to obtain
access to the IPA server using the credentials provided by an IPA client,
including administrative access to the entire domain if the join was
performed using an administrator's credentials. (CVE-2012-5484)
Note: This weakness was only exposed during the initial client join to the
realm, because the IPA client did not yet have the CA certificate of the
server. Once an IPA client has joined the realm and has obtained the CA
certificate of the IPA server, all further communication is secure. If a
client were using the OTP (one-time password) method to join to the realm,
an attacker could only obtain unprivileged access to the server (enough to
only join the realm).
|
| Alerts: |
|
( Log in to post comments)
|
|
|