To mitigate could one make the cache only readable by root which I thought would be the default?
On Oct 11, 2017 5:43 PM, "Lachlan Musicman" datakid@gmail.com wrote:
Will the COPR repos will be republished?
------ "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. "
*Greg Bloom* @greggish https://twitter.com/greggish/ status/873177525903609857 https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_greggish_status_873177525903609857&d=DwMFaQ&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=W4lRniLWM4bp0WLxP8X1uGlB9gSn9moWJ4_V6AtgRl8&s=GFCuOsq64dXl04cgNK8jJV9X0f9TckVNwsd8Dcu8et0&e=
On 12 October 2017 at 02:41, Sumit Bose sbose@redhat.com wrote:
=============== A security bug in SSSD 1.12 and later
= = Subject: Unsanitized input when searching in local cache database = = CVE ID#: CVE-2017-12173 = = Summary: SSSD stores its cached data in an LDAP like local database = file using libldb. To lookup cached data LDAP search = filters like '(objectClass=user)(name=user_name)' are used. = However, in sysdb_search_user_by_upn_res(), the input is = not sanitized and allows to manipulate the search filter = for cache lookups. = = This would allow a logged in user to discover the password = hash of a different user. = = Impact: Moderate = = Affects default = configuration: When configured with tools like realmd or = ipa-client-install = = Introduced with: 1.12.0 = ============================================================ ==================
==== DESCRIPTION ====
SSSD stores its cached data in an LDAP like local database file using libldb. To lookup cached data LDAP search filters like '(objectClass=user)(name=user_name)' are used. However, in sysdb_search_user_by_upn_res(), the input is not sanitized and allows to manipulate the search filter for cache lookups.
This would allow a logged in user to discover the password hash of a different user.
While in the default configuration the sssd.conf parameter 'cache_credentials' is set to 'False' it is typically switched to 'True' by tools like realmd or ipa-client-install to support offline authentication.
To remove the only password hashes from the cache 'cache_credentials' should be set to 'False' in all [domain/...] sections of sssd.conf. Additionally the already stored hashes must be remove e.g. by calling
ldbedit -H /var/lib/sss/db/cache_DOMAIN-NAME.ldb
for each configured domain and removing all 'cachedPassword' attributes.
==== PATCH AVAILABILITY ====
The patch is available at: https://pagure.io/SSSD/sssd/c/1f2662c8f97c9c0fa250055d4b6750 abfc6d0835?branch=master https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_SSSD_sssd_c_1f2662c8f97c9c0fa250055d4b6750abfc6d0835-3Fbranch-3Dmaster&d=DwMFaQ&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=W4lRniLWM4bp0WLxP8X1uGlB9gSn9moWJ4_V6AtgRl8&s=ZXTdgk6xvtkrVYbNmGiFV9CPSyIA4y1tRamZlhy4MDE&e=
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Wed, Oct 11, 2017 at 06:03:27PM -0400, Douglas Duckworth wrote:
To mitigate could one make the cache only readable by root which I thought would be the default?
Yes, the cache file is only readable as root. But is it read by SSSD components running as root as well.
bye, Sumit
On Oct 11, 2017 5:43 PM, "Lachlan Musicman" datakid@gmail.com wrote:
Will the COPR repos will be republished?
"The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. "
*Greg Bloom* @greggish https://twitter.com/greggish/ status/873177525903609857 https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_greggish_status_873177525903609857&d=DwMFaQ&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=W4lRniLWM4bp0WLxP8X1uGlB9gSn9moWJ4_V6AtgRl8&s=GFCuOsq64dXl04cgNK8jJV9X0f9TckVNwsd8Dcu8et0&e=
On 12 October 2017 at 02:41, Sumit Bose sbose@redhat.com wrote:
=============== A security bug in SSSD 1.12 and later
= = Subject: Unsanitized input when searching in local cache database = = CVE ID#: CVE-2017-12173 = = Summary: SSSD stores its cached data in an LDAP like local database = file using libldb. To lookup cached data LDAP search = filters like '(objectClass=user)(name=user_name)' are used. = However, in sysdb_search_user_by_upn_res(), the input is = not sanitized and allows to manipulate the search filter = for cache lookups. = = This would allow a logged in user to discover the password = hash of a different user. = = Impact: Moderate = = Affects default = configuration: When configured with tools like realmd or = ipa-client-install = = Introduced with: 1.12.0 = ============================================================ ==================
==== DESCRIPTION ====
SSSD stores its cached data in an LDAP like local database file using libldb. To lookup cached data LDAP search filters like '(objectClass=user)(name=user_name)' are used. However, in sysdb_search_user_by_upn_res(), the input is not sanitized and allows to manipulate the search filter for cache lookups.
This would allow a logged in user to discover the password hash of a different user.
While in the default configuration the sssd.conf parameter 'cache_credentials' is set to 'False' it is typically switched to 'True' by tools like realmd or ipa-client-install to support offline authentication.
To remove the only password hashes from the cache 'cache_credentials' should be set to 'False' in all [domain/...] sections of sssd.conf. Additionally the already stored hashes must be remove e.g. by calling
ldbedit -H /var/lib/sss/db/cache_DOMAIN-NAME.ldb
for each configured domain and removing all 'cachedPassword' attributes.
==== PATCH AVAILABILITY ====
The patch is available at: https://pagure.io/SSSD/sssd/c/1f2662c8f97c9c0fa250055d4b6750 abfc6d0835?branch=master https://urldefense.proofpoint.com/v2/url?u=https-3A__pagure.io_SSSD_sssd_c_1f2662c8f97c9c0fa250055d4b6750abfc6d0835-3Fbranch-3Dmaster&d=DwMFaQ&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=W4lRniLWM4bp0WLxP8X1uGlB9gSn9moWJ4_V6AtgRl8&s=ZXTdgk6xvtkrVYbNmGiFV9CPSyIA4y1tRamZlhy4MDE&e=
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org