SB2025032926 - Anolis OS update for idm:DL1 module

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper Authorization (CVE-ID: CVE-2024-2698)

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to an error in ipadb_match_acl() within the initial implementation of MS-SFU by MIT Kerberos, which was missing a condition for granting the “forwardable” flag on S4U2Self tickets. This results in S4U2Proxy requests to be accepted regardless of the fact there is a matching service delegation rule or not.

Note, this vulnerability does not affect default FreeIPA deployments because the services which have delegation rules defined are on IPA servers themselves. Services having RBCD (resource-based constrained delegation) rules are not affected by this vulnerability either.

2) Use of Password Hash With Insufficient Computational Effort (CVE-ID: CVE-2024-3183)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to software uses principal key to encrypt tickets. A remote attacker can brute-force the principal key and decrypt communication between KDC and the client.

3) Input validation error (CVE-ID: CVE-2024-1481)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of Kerberos principal name in rpcserver before running kinit. A remote attacker can send a specially crated HTTP request to the "/sip/session/login_password" endpoint and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://anas.openanolis.cn/errata/detail/ANSA-2024:0559