Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Vigil@nce: Red Hat IPA, obtaining the password

September 2008 by Vigil@nce


An anonymous attacker can connect to the LDAP server and obtain the Master Password of Red Hat Enterprise IPA.

Gravity: 3/4

Consequences: administrator access/rights

Provenance: intranet client

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 11/09/2008

Identifier: VIGILANCE-VUL-8105


- Fedora [confidential versions]
- Red Hat Enterprise Linux [confidential versions]


The Red Hat Enterprise IPA product centralizes the management of identities and policies.

The Master Kerberos Password is used to encrypt keys and is stored in a LDAP directory. However, the access rights to this password were not defined: an attacker can use an anonymous session to read it.

A network attacker can therefore obtain the Master Kerberos Password.


Identifiers: BID-31111, CVE-2008-3274, FEDORA-2008-7987, FEDORA-2008-8003, RHSA-2008:0860-02, VIGILANCE-VUL-8105

See previous articles


See next articles