Cyber Resilience

CVE-2024-3183

High

Published: 12 June 2024

Published
12 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.2123 95.8th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-3183 is a high-severity Use of Password Hash With Insufficient Computational Effort (CWE-916) vulnerability in Redhat Enterprise Linux Aus. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A vulnerability exists in FreeIPA's handling of Kerberos TGS-REQ messages, where the contained ticket is encrypted directly with the target principal's key rather than the client's session key. For user principals this key is derived from a public per-principal salt combined with the user's password, exposing the system to offline brute-force attacks once any principal is compromised. The flaw is tracked as CVE-2024-3183 and carries a CVSS 3.1 score of 8.1.

An attacker with a compromised principal can request and capture service tickets encrypted to arbitrary other principals. These tickets, together with the publicly available salts, can be processed offline to recover the corresponding passwords, granting the attacker access to additional accounts without further interaction with the FreeIPA server.

Red Hat has published errata RHSA-2024:3754 through RHSA-2024:3758 that address the issue in affected products. The EPSS score has remained at 0.2123 with no material increase since disclosure.

EU & UK References

Vulnerability details

A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains…

more

is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password. If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

redhat
enterprise linux
7.0, 8.0
redhat
enterprise linux aus
8.2, 8.4, 8.6
redhat
enterprise linux eus
8.8
redhat
enterprise linux tus
8.4, 8.6
redhat
enterprise linux update services for sap solutions
8.4, 8.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-916

Information from security contacts highlights password hashing methods with insufficient computational effort, preventing their adoption.

References