=============== A security bug in SSSD 1.12 and later ========================= = = Subject: Unsanitized input when searching in local cache database = = CVE ID#: CVE-2017-12173 = = Summary: SSSD stores its cached data in an LDAP like local database = file using libldb. To lookup cached data LDAP search = filters like '(objectClass=user)(name=user_name)' are used. = However, in sysdb_search_user_by_upn_res(), the input is = not sanitized and allows to manipulate the search filter = for cache lookups. = = This would allow a logged in user to discover the password = hash of a different user. = = Impact: Moderate = = Affects default = configuration: When configured with tools like realmd or = ipa-client-install = = Introduced with: 1.12.0 = ==============================================================================
==== DESCRIPTION ==== SSSD stores its cached data in an LDAP like local database file using libldb. To lookup cached data LDAP search filters like '(objectClass=user)(name=user_name)' are used. However, in sysdb_search_user_by_upn_res(), the input is not sanitized and allows to manipulate the search filter for cache lookups. This would allow a logged in user to discover the password hash of a different user. While in the default configuration the sssd.conf parameter 'cache_credentials' is set to 'False' it is typically switched to 'True' by tools like realmd or ipa-client-install to support offline authentication. To remove the only password hashes from the cache 'cache_credentials' should be set to 'False' in all [domain/...] sections of sssd.conf. Additionally the already stored hashes must be remove e.g. by calling ldbedit -H /var/lib/sss/db/cache_DOMAIN-NAME.ldb for each configured domain and removing all 'cachedPassword' attributes. ==== PATCH AVAILABILITY ==== The patch is available at: https://pagure.io/SSSD/sssd/c/1f2662c8f97c9c0fa250055d4b6750abfc6d0835?branch=master _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org