=============== A security bug in SSSD 1.12 and later ========================= = = Subject: Unsanitized input when searching in local cache database = = CVE ID#: CVE-2017-12173 = = Summary: SSSD stores its cached data in an LDAP like local database = file using libldb. To lookup cached data LDAP search = filters like '(objectClass=user)(name=user_name)' are used. = However, in sysdb_search_user_by_upn_res(), the input is = not sanitized and allows to manipulate the search filter = for cache lookups. = = This would allow a logged in user to discover the password = hash of a different user. = = Impact: Moderate = = Affects default = configuration: When configured with tools like realmd or = ipa-client-install = = Introduced with: 1.12.0 = ==============================================================================
==== DESCRIPTION ====
SSSD stores its cached data in an LDAP like local database file using libldb. To lookup cached data LDAP search filters like '(objectClass=user)(name=user_name)' are used. However, in sysdb_search_user_by_upn_res(), the input is not sanitized and allows to manipulate the search filter for cache lookups.
This would allow a logged in user to discover the password hash of a different user.
While in the default configuration the sssd.conf parameter 'cache_credentials' is set to 'False' it is typically switched to 'True' by tools like realmd or ipa-client-install to support offline authentication.
To remove the only password hashes from the cache 'cache_credentials' should be set to 'False' in all [domain/...] sections of sssd.conf. Additionally the already stored hashes must be remove e.g. by calling
ldbedit -H /var/lib/sss/db/cache_DOMAIN-NAME.ldb
for each configured domain and removing all 'cachedPassword' attributes.
==== PATCH AVAILABILITY ====
The patch is available at: https://pagure.io/SSSD/sssd/c/1f2662c8f97c9c0fa250055d4b6750abfc6d0835?branc...
Will the COPR repos will be republished?
------ "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. "
*Greg Bloom* @greggish https://twitter.com/greggish/status/873177525903609857
On 12 October 2017 at 02:41, Sumit Bose sbose@redhat.com wrote:
=============== A security bug in SSSD 1.12 and later
= = Subject: Unsanitized input when searching in local cache database = = CVE ID#: CVE-2017-12173 = = Summary: SSSD stores its cached data in an LDAP like local database = file using libldb. To lookup cached data LDAP search = filters like '(objectClass=user)(name=user_name)' are used. = However, in sysdb_search_user_by_upn_res(), the input is = not sanitized and allows to manipulate the search filter = for cache lookups. = = This would allow a logged in user to discover the password = hash of a different user. = = Impact: Moderate = = Affects default = configuration: When configured with tools like realmd or = ipa-client-install = = Introduced with: 1.12.0 = ============================================================ ==================
==== DESCRIPTION ====
SSSD stores its cached data in an LDAP like local database file using libldb. To lookup cached data LDAP search filters like '(objectClass=user)(name=user_name)' are used. However, in sysdb_search_user_by_upn_res(), the input is not sanitized and allows to manipulate the search filter for cache lookups.
This would allow a logged in user to discover the password hash of a different user.
While in the default configuration the sssd.conf parameter 'cache_credentials' is set to 'False' it is typically switched to 'True' by tools like realmd or ipa-client-install to support offline authentication.
To remove the only password hashes from the cache 'cache_credentials' should be set to 'False' in all [domain/...] sections of sssd.conf. Additionally the already stored hashes must be remove e.g. by calling
ldbedit -H /var/lib/sss/db/cache_DOMAIN-NAME.ldb
for each configured domain and removing all 'cachedPassword' attributes.
==== PATCH AVAILABILITY ====
The patch is available at: https://pagure.io/SSSD/sssd/c/1f2662c8f97c9c0fa250055d4b6750 abfc6d0835?branch=master _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
CentOS 7, 1.15.3 - thank you all!
------ "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. "
*Greg Bloom* @greggish https://twitter.com/greggish/status/873177525903609857
On 12 October 2017 at 23:56, Lukas Slebodnik lslebodn@redhat.com wrote:
On (12/10/17 08:41), Lachlan Musicman wrote:
Will the COPR repos will be republished?
I can update them.
Which one do you use ?
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On 13 October 2017 at 22:51, Lukas Slebodnik lslebodn@redhat.com wrote:
On (13/10/17 08:00), Lachlan Musicman wrote:
CentOS 7, 1.15.3 - thank you all!
Done
And applied. Thanks again - really appreciate the work you all do!
cheers L.
sssd-users@lists.fedorahosted.org