======================= A security bug in SSSD 1.9 =========================== = = Subject: A simple access provider flaw prevents intended ACL use = when SSSD is configured as an Active Directory client = = CVE ID#: CVE-2013-0287 = = Summary: When SSSD is configured as an Active Directory client by = using the new Active Directory provider or equivalent = configuration of the LDAP provider, the Simple Access = Provider does not handle access control correctly. = If any groups are specified with the simple_deny_groups = option, the group members are permitted access. = = Impact: medium = = Acknowledgements: The bug was found by Kaushik Banerjee of Red Hat = Quality Engineering team = = Affects default = configuration: no = = Introduced with: 1.9.0 = =============================================================== ==== DESCRIPTION ==== SSSD versions 1.9.0 and later are vulnerable to a security bug. If the SSSD is configured to use the Active Directory provider (or equivalent configuration of the LDAP provider) along with the Simple Access Provider which in turn uses the simple_deny_groups option, then even groups listed in that configuration option would be allowed access.
The reason is that the AD provider obtains a list of groups the user is a member of in form of SIDs which are algorithmically transformed into GIDs during the initgroups operation. Thus, contrary to the LDAP provider, the group names might not be known during the account phase of the PAM conversation. As a result, groups listed in the simple_deny_groups option may be allowed access and groups in the simple_allow_groups may be denied access. The vulnerable LDAP provider configuration would include the "ldap_schema=ad" option, use the SID-to-ID mapping (ldap_id_mapping=True), would be connected to an Active Directory server and use the simple_deny_groups as mentioned above. The fix will be delivered as part of the upcoming 1.9.5 release. The bug is being tracked in the following Red Hat Bugzilla report: https://bugzilla.redhat.com/show_bug.cgi?id=910938 ==== PATCH AVAILABILITY ==== The patches for the master branch are available at: http://git.fedorahosted.org/cgit/sssd.git/patch/?id=c0bca1722d6f9dfb654ad78397be70f79ff39af1 http://git.fedorahosted.org/cgit/sssd.git/patch/?id=6569d57e3bc168e6e83d70333b48c5cb43aa04c4 http://git.fedorahosted.org/cgit/sssd.git/patch/?id=6837eee3f7f81c0ee454d3718d67d7f3cc6b48ef http://git.fedorahosted.org/cgit/sssd.git/patch/?id=7619be9f6bf649665fcbeee9e6b120f9f9cba2a5 The patches for the sssd-1-9 branch are available at: http://git.fedorahosted.org/cgit/sssd.git/patch/?id=8b8019fe3dd1564fba657e219ec20ff816c7ffdb http://git.fedorahosted.org/cgit/sssd.git/patch/?id=26590d31f492dbbd36be6d0bde46a4bd3b221edb http://git.fedorahosted.org/cgit/sssd.git/patch/?id=754b09b5444e6da88ed58d6deaed8b815e268b6b http://git.fedorahosted.org/cgit/sssd.git/patch/?id=b63830b142053f99bfe954d4be5a2b0f68ce3a93 _______________________________________________ Freeipa-interest mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-interest