CVE-2024-3183
Published: 12 June 2024
Summary
CVE-2024-3183 is a high-severity Use of Password Hash With Insufficient Computational Effort (CWE-916) vulnerability in Redhat Enterprise Linux Aus. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 4.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A vulnerability exists in FreeIPA's handling of Kerberos TGS-REQ messages, where the contained ticket is encrypted directly with the target principal's key rather than the client's session key. For user principals this key is derived from a public per-principal salt combined with the user's password, exposing the system to offline brute-force attacks once any principal is compromised. The flaw is tracked as CVE-2024-3183 and carries a CVSS 3.1 score of 8.1.
An attacker with a compromised principal can request and capture service tickets encrypted to arbitrary other principals. These tickets, together with the publicly available salts, can be processed offline to recover the corresponding passwords, granting the attacker access to additional accounts without further interaction with the FreeIPA server.
Red Hat has published errata RHSA-2024:3754 through RHSA-2024:3758 that address the issue in affected products. The EPSS score has remained at 0.2123 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-31775
Vulnerability details
A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains…
more
is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password. If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Information from security contacts highlights password hashing methods with insufficient computational effort, preventing their adoption.