Source: sssd Version: 2.10.1-2 Severity: important Tags: security upstream Forwarded: https://github.com/SSSD/sssd/issues/8021 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for sssd. Right now this is mainly for tracking purposes. My understanding is that there is no fix planned in near future, and mitigation exists by enabling explicitly the sssd_krb5_localauth_plugin plugin. CVE-2025-11561[0]: | A flaw was found in the integration of Active Directory and the | System Security Services Daemon (SSSD) on Linux systems. In default | configurations, the Kerberos local authentication plugin | (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln | plugin is possible. This fallback allows an attacker with permission | to modify certain AD attributes (such as userPrincipalName or | samAccountName) to impersonate privileged users, potentially | resulting in unauthorized access or privilege escalation on domain- | joined Linux hosts. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-11561 https://www.cve.org/CVERecord?id=CVE-2025-11561 [1] https://bugzilla.redhat.com/show_bug.cgi?id=2402727 [2] https://blog.async.sg/kerberos-ldr [3] https://github.com/SSSD/sssd/issues/8021 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
