To mitigate could one make the cache only readable by root which I thought would be the default?
On Oct 11, 2017 5:43 PM, "Lachlan Musicman" <[email protected]> wrote: Will the COPR repos will be republished? ------ "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. " *Greg Bloom* @greggish https://twitter.com/greggish/ status/873177525903609857 <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_greggish_status_873177525903609857&d=DwMFaQ&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=W4lRniLWM4bp0WLxP8X1uGlB9gSn9moWJ4_V6AtgRl8&s=GFCuOsq64dXl04cgNK8jJV9X0f9TckVNwsd8Dcu8et0&e=> On 12 October 2017 at 02:41, Sumit Bose <[email protected]> wrote: > =============== A security bug in SSSD 1.12 and later > ========================= > = > = Subject: Unsanitized input when searching in local cache > database > = > = CVE ID#: CVE-2017-12173 > = > = Summary: SSSD stores its cached data in an LDAP like local > database > = file using libldb. To lookup cached data LDAP search > = filters like '(objectClass=user)(name=user_name)' are > used. > = However, in sysdb_search_user_by_upn_res(), the input > is > = not sanitized and allows to manipulate the search > filter > = for cache lookups. > = > = This would allow a logged in user to discover the > password > = hash of a different user. > = > = Impact: Moderate > = > = Affects default > = configuration: When configured with tools like realmd or > = ipa-client-install > = > = Introduced with: 1.12.0 > = > ============================================================ > ================== > > ==== DESCRIPTION ==== > > SSSD stores its cached data in an LDAP like local database file using > libldb. > To lookup cached data LDAP search filters like > '(objectClass=user)(name=user_name)' are used. However, in > sysdb_search_user_by_upn_res(), the input is not sanitized and allows to > manipulate the search filter for cache lookups. > > This would allow a logged in user to discover the password hash of a > different > user. > > While in the default configuration the sssd.conf parameter > 'cache_credentials' > is set to 'False' it is typically switched to 'True' by tools like realmd > or > ipa-client-install to support offline authentication. > > To remove the only password hashes from the cache 'cache_credentials' > should be > set to 'False' in all [domain/...] sections of sssd.conf. Additionally the > already stored hashes must be remove e.g. by calling > > ldbedit -H /var/lib/sss/db/cache_DOMAIN-NAME.ldb > > for each configured domain and removing all 'cachedPassword' attributes. > > ==== PATCH AVAILABILITY ==== > > The patch is available at: > https://pagure.io/SSSD/sssd/c/1f2662c8f97c9c0fa250055d4b6750 > abfc6d0835?branch=master > <https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_SSSD_sssd_c_1f2662c8f97c9c0fa250055d4b6750abfc6d0835-3Fbranch-3Dmaster&d=DwMFaQ&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=W4lRniLWM4bp0WLxP8X1uGlB9gSn9moWJ4_V6AtgRl8&s=ZXTdgk6xvtkrVYbNmGiFV9CPSyIA4y1tRamZlhy4MDE&e=> > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
