vulnerability

Alma Linux: CVE-2025-4404: Important: ipa security update (Multiple Advisories)

Try Surface Command
Back to search
Severity
8
CVSS
(AV:N/AC:L/Au:M/C:C/I:C/A:C)
Published
Jun 17, 2025
Added
Jul 1, 2025
Modified
Nov 13, 2025

Description

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

Solutions

alma-upgrade-bind-dyndb-ldapalma-upgrade-custodiaalma-upgrade-ipa-clientalma-upgrade-ipa-client-commonalma-upgrade-ipa-client-encrypted-dnsalma-upgrade-ipa-client-epnalma-upgrade-ipa-client-sambaalma-upgrade-ipa-commonalma-upgrade-ipa-healthcheckalma-upgrade-ipa-healthcheck-corealma-upgrade-ipa-python-compatalma-upgrade-ipa-selinuxalma-upgrade-ipa-selinux-lunaalma-upgrade-ipa-selinux-nfastalma-upgrade-ipa-serveralma-upgrade-ipa-server-commonalma-upgrade-ipa-server-dnsalma-upgrade-ipa-server-encrypted-dnsalma-upgrade-ipa-server-trust-adalma-upgrade-opendnssecalma-upgrade-python3-custodiaalma-upgrade-python3-ipaclientalma-upgrade-python3-ipalibalma-upgrade-python3-ipaserveralma-upgrade-python3-ipatestsalma-upgrade-python3-jwcryptoalma-upgrade-python3-kdcproxyalma-upgrade-python3-pyusbalma-upgrade-python3-qrcodealma-upgrade-python3-qrcode-corealma-upgrade-python3-yubicoalma-upgrade-slapi-nisalma-upgrade-softhsmalma-upgrade-softhsm-devel

References

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today