====== SSSD Security Release 1.5.7 ==========================
= Subject:          User impersonation attack
= CVE ID#:          CVE-2011-1758
= Summary:          The current stable and development version
=                   of SSSD are vulnerable to a user
=                   impersonation attack.
= Impact:           moderate
= Affects default
=  configuration:   Negative
= Introduced with:  1.5.0


The current stable and development version of SSSD are vulnerable to a
user impersonation attack.

A malicious user can log in as a legitimate user by using a well-known
plain text under specific circumstances.

The user's legitimate credentials are *not* disclosed.

The vulnerability is present if the automatic ticket renewal option is
enabled, and only if a ticket renewal operation for the user has been
recently performed without any further authentication from the
legitimate user taking place since.

The vulnerability is exploitable only if the SSSD daemon is
authenticating in offline mode (servers not reachable), and offline
authentication is enabled.

The vulnerability is rated moderate due to the fact the vulnerability is
present only in non default configurations and the vulnerability is
available only after a very specific set of circumstances materializes.


A patch addressing this issue is available at:


Disable automatic ticket renewal and flush sssd caches to remove bad
cached credentials.


The automatic ticket renewal service in SSSD operates by providing the
active credential cache to the kerberos libraries in order to renew the
user's TGT on their behalf by using their existing credentials.
Internally, SSSD treats this as a standard authentication, which upon
success will update the cached credentials of the user.

The side-effect here is that the user's credentials in the context of
this renewal are actually the path to the credential cache file,
instead of their real password. So as a result, the user's cached
credentials have now become a different string.

The security issue is that this new cached-credential string is now
predictable. Another user on the local system would now be capable of
logging in as the first user by performing an 'ls /tmp' and seeing what
the first user's cache file is called.

The problem gets further complicated if the administrators has modified
the SSSD config option 'krb5_ccache_template' to remove the mkstemp()
suffix. This would then make the credential cache's name predictable to
a network attacker as well.

With this release, we no longer erroneously set the credential cache
path as the user's cached credentials, removing this vulnerability and
restoring the user's ability to log in properly in offline mode.


Thanks to Marko Myllynen (Red Hat) for reporting and to Stephen
Gallagher for identifying the actual problem.

The SSSD team.


Attachment: signature.asc
Description: This is a digitally signed message part

Freeipa-interest mailing list

Reply via email to