FreeIPA Privilege Escalation Vulnerability from Host to Domain Administrator

A privilege escalation vulnerability has been identified in FreeIPA, allowing an attacker to escalate rights from host-level to domain administrator. This issue arises because FreeIPA does not properly validate the uniqueness of the krbCanonicalName attribute. Although a previous update addressed similar concerns for the admin@REALM credential, the root@REALM canonical name, which can also represent the realm administrator, remains unvalidated. Exploiting this flaw enables an attacker to impersonate the admin identity, access sensitive data, and perform administrative tasks within the REALM.

Impact

Exploitation of this vulnerability allows a local or authenticated attacker to gain domain-level administrative access in a FreeIPA environment, compromising the entire security boundary of the realm. This access enables unauthorized management of users, policies, and credentials, along with the potential extraction of sensitive data.

Remediation

Users can update to the latest FreeIPA package version to address this vulnerability. Specific update instructions can be found in the Red Hat Product Errata RHSA-2025:17084, RHSA-2025:17085, RHSA-2025:17086, RHSA-2025:17087, and RHSA-2025:17088.