Bug 2402727 (CVE-2025-11561)
| Summary: | CVE-2025-11561 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2402728 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-10-09 13:20:47 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:19610 https://access.redhat.com/errata/RHSA-2025:19610 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2025:19847 https://access.redhat.com/errata/RHSA-2025:19847 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2025:19850 https://access.redhat.com/errata/RHSA-2025:19850 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2025:19848 https://access.redhat.com/errata/RHSA-2025:19848 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2025:19853 https://access.redhat.com/errata/RHSA-2025:19853 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2025:19854 https://access.redhat.com/errata/RHSA-2025:19854 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2025:19849 https://access.redhat.com/errata/RHSA-2025:19849 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2025:19859 https://access.redhat.com/errata/RHSA-2025:19859 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:19852 https://access.redhat.com/errata/RHSA-2025:19852 This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:19851 https://access.redhat.com/errata/RHSA-2025:19851 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:20954 https://access.redhat.com/errata/RHSA-2025:20954 This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:21020 https://access.redhat.com/errata/RHSA-2025:21020 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2025:21067 https://access.redhat.com/errata/RHSA-2025:21067 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2025:21329 https://access.redhat.com/errata/RHSA-2025:21329 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.18 Via RHSA-2025:21795 https://access.redhat.com/errata/RHSA-2025:21795 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.20 Via RHSA-2025:22256 https://access.redhat.com/errata/RHSA-2025:22256 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.17 Via RHSA-2025:22265 https://access.redhat.com/errata/RHSA-2025:22265 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.19 Via RHSA-2025:22277 https://access.redhat.com/errata/RHSA-2025:22277 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2025:22724 https://access.redhat.com/errata/RHSA-2025:22724 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2025:23113 https://access.redhat.com/errata/RHSA-2025:23113 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2026:0316 https://access.redhat.com/errata/RHSA-2026:0316 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2026:0677 https://access.redhat.com/errata/RHSA-2026:0677 |