1101751 – (CVE-2014-0249) CVE-2014-0249 sssd: incorrect expansion of group membership when encountering a non-POSIX group

Bug 1101751 (CVE-2014-0249) - CVE-2014-0249 sssd: incorrect expansion of group membership when encountering a non-POSIX group

Summary: CVE-2014-0249 sssd: incorrect expansion of group membership when encountering...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-0249
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	995389 1101756 Red Hat1103487 Red Hat1103488
Blocks:	Embargoed1101758
TreeView+	depends on / blocked

Reported:	2014-05-27 20:21 UTC by Vincent Danen
Modified:	2021-08-11 13:16 UTC (History)
CC List:	14 users (show)
Fixed In Version:	sssd 1.11.7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-01-10 15:01:34 UTC

Attachments	(Terms of Use)

Description Vincent Danen 2014-05-27 20:21:59 UTC

It was reported [1] that SSSD improperly expanded group membership when it encountered a non-POSIX group in the group membership chain.  For instance:

  user -> posix_group1 -> non_posix_group -> posix_group2

With the group memberships noted above, SSSD should include the user as a member of both posix_group1 and posix_group2, however due to the position of the non-POSIX group, SSSD halts processing at it and never reaches posix_group2, leaving the user as a member of posix_group1 and not posix_group2.

SSSD has the capability to set a 'deny' ACL for both users and groups, so in a situation like that illustrated above, if posix_group2 was present in a 'deny' ACL, the user would be granted access because they are not shown as having membership in the denied group.  This could grant unintended access to certain users in an environment where non-POSIX groups are used in addition to POSIX groups.

There is currently no patch to correct this issue.


[1] https://lists.fedorahosted.org/pipermail/sssd-devel/2014-May/019495.html

Comment 1 Vincent Danen 2014-05-27 20:22:25 UTC

Created sssd tracking bugs for this issue:

Affects: fedora-all [bug 1101756]

Comment 2 Huzaifa S. Sidhpurwala 2014-05-29 07:45:13 UTC

Statement:

This issue affects the version of sssd package as shipped with Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this issue as having Low security impact, a future update may address this flaw.

Comment 4 Tomas Hoger 2015-03-06 11:48:47 UTC

Upstream bug:
https://fedorahosted.org/sssd/ticket/2343

Fixed upstream in version 1.11.7:
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.7

Upstream commits:
https://git.fedorahosted.org/cgit/sssd.git/commit/?id=0b6b4b7669b46d3d0b0ebefbc0e1621965444717
https://git.fedorahosted.org/cgit/sssd.git/commit/?id=4da27d52078497c5c095f4a4cd9975fe5c83c330
https://git.fedorahosted.org/cgit/sssd.git/commit/?id=191d7f7ce3de10d9e19eaa0a6ab3319bcd4ca95d

Comment 5 Tomas Hoger 2015-03-12 14:35:57 UTC

This issue was already fixed in sssd updates in Red Hat Enterprise Linux 6 (in 6.6, via RHBA-2014:1375) and Red Hat Enterprise Linux 7 (in 7.1, via RHBA-2015:0441).

https://rhn.redhat.com/errata/RHBA-2014-1375.html
https://rhn.redhat.com/errata/RHBA-2015-0441.html

Note You need to log in before you can comment on or make changes to this bug.