This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 553631 - (CVE-2010-0014) CVE-2010-0014 SSSD accepts any password when offline with a valid TGT available
CVE-2010-0014 SSSD accepts any password when offline with a valid TGT available
Status: MODIFIED
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=redhat,impact=moderate,reporte...
: Security
Depends On: 553233 553643
Blocks:
  Show dependency treegraph
 
Reported: 2010-01-08 08:46 EST by Josh Bressers
Modified: 2015-09-07 01:47 EDT (History)
7 users (show)

See Also:
Fixed In Version: sssd-1.0.1-1.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2010-01-08 08:46:48 EST
Description of problem:
When sssd is configured to use Kerberos for authentication
(auth_provider = krb5 in a domain section) any password is accepted as
valid under the following conditions:

 - the system is offline, i.e. the KDC configured with the option
   krb5_kdcip cannot be reached
 - the user who tries to authenticate has a valid TGT for the Kerberos
   realm configured with to option krb5_realm in his credential cache
   file

Short term fix:
 - disable Kerberos authentication and use alternatives if possible


Version-Release number of selected component (if applicable):


How reproducible:
Every time

Steps to Reproduce:
1. Configure an SSSD system to authenticate against a Kerberos KDC
2. Log in as a user while SSSD is online.
3. Verify that the user has a valid TGT for the Kerberos realm.
4. Unplug the network cable.
5. Lock the display.
6. The user will be able to unlock the display with any password.
  
Additionally, this can make a system network-vulnerable, as if the SSSD is in the offline state (either the KDC or the identity server is unreachable), an attacker can log into any account that has a valid TGT.

Actual results:
Passwords are not properly verified against the cached credentials. Any password will be treated as a valid authentication.

Expected results:
Authentication should succeed with only the valid credentials.

Additional info:
The only current workaround for this problem is to disable Kerberos authentication on affected machines until a patched binary is available.
Comment 1 Josh Bressers 2010-01-08 09:04:12 EST
Fedora is being tracked via bug 553233
Comment 3 Tomas Hoger 2010-01-11 10:51:16 EST
Fixed now in upstream release 1.0.1:
  https://fedorahosted.org/sssd/wiki/Releases/Notes-1.0.1
Comment 4 Fedora Update System 2010-01-12 18:34:37 EST
sssd-1.0.1-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2010-01-12 18:37:18 EST
sssd-1.0.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.