FreeIPA CVE-2019-14867 Denial of Service Vulnerability

Description

FreeIPA is prone to a denial-of-service vulnerability. Attackers can exploit this issue to execute arbitrary code or crash the affected application, denying service to legitimate users. FreeIPA versions 4.6 prior to 4.6.7, versions 4.7 prior to 4.7.4 and versions 4.8 prior to 4.8.3 are vulnerable.

Technologies Affected

• FreeIPA FreeIPA 4.6.0
• FreeIPA FreeIPA 4.6.1
• FreeIPA FreeIPA 4.6.2
• FreeIPA FreeIPA 4.6.3
• FreeIPA FreeIPA 4.6.4
• FreeIPA FreeIPA 4.6.5
• FreeIPA FreeIPA 4.6.6
• FreeIPA FreeIPA 4.7.0
• FreeIPA FreeIPA 4.7.1
• FreeIPA FreeIPA 4.7.2
• FreeIPA FreeIPA 4.7.3
• FreeIPA FreeIPA 4.8.0
• FreeIPA FreeIPA 4.8.1
• FreeIPA FreeIPA 4.8.2
• Redhat Enterprise Linux 7
• Redhat Enterprise Linux 8

Recommendations

Block external access at the network boundary, unless external parties require service.
Filter access to the affected computer at the network boundary if global access isn’t needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This may indicate exploit attempts or activity that results from successful exploits.

Implement multiple authentication mechanisms.
Implement measures such as .htaccess to provide an additional layer of authentication for sensitive PHP scripts. This may limit the impact of malicious users gaining unauthorized access to session variables.

Updates are available. Please see the references or vendor advisory for more information.