This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Red Hat FreeIPA fails to verify the uniqueness of `krbCanonicalName`. π **Consequences**: Attackers can steal REALM admin credentials and execute unauthorized management tasks.β¦
π’ **Affected**: Red Hat FreeIPA. Specifically, versions prior to the fix in RHSA-2025 advisories. The POC mentions **FreeIPA 4.12.4** as a vulnerable baseline where admin accounts lack proper `krbCanonicalName` values.
π **Exploitation Threshold**: **Medium-High**. Requires **PR:H** (High Privileges) initially. You need a valid domain computer account (e.g., `host/pc1.test.local`) to initiate the attack.β¦
π **Public Exp?**: **YES**. POCs are available on GitHub (e.g., `Cyxow/CVE-2025-4404-POC`). The attack involves using `kinit` with a host keytab and modifying LDAP entries to inject malicious `krbCanonicalName` values.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: 1οΈβ£ Check if your FreeIPA version is < the patched version. 2οΈβ£ Audit LDAP entries for missing or duplicate `krbCanonicalName` on admin accounts.β¦
β **Official Fix**: **YES**. Red Hat released security advisories: **RHSA-2025:9190**, **RHSA-2025:9184**, **RHSA-2025:9191**, and **RHSA-2025:9189**. Update immediately via Red Hat Network.
Q9What if no patch? (Workaround)
π§ **No Patch?**: 1οΈβ£ Restrict LDAP write permissions for host accounts. 2οΈβ£ Ensure all admin accounts have unique, verified `krbCanonicalName` attributes. 3οΈβ£ Implement strict Kerberos ticket monitoring and alerting.
Q10Is it urgent? (Priority Suggestion)
β‘ **Urgency**: **CRITICAL**. CVSS Score is **High** (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). While it requires initial privileges, the impact is total compromise of the identity infrastructure. Patch ASAP!