A flaw was introduced in SSSD 1.5.0 that, under certain conditions, would have sssd overwrite a cached password with the filename of the kerberos credential store (defined by krb5_ccache_template in sssd.conf). This could allow an attacker to gain access to an account without knowing the password if they knew the cached-credential string. This flaw does not affect earlier versions of SSSD that did not have support for automatic ticket renewal services.
Created sssd tracking bugs for this issue Affects: fedora-all [bug 700891]
From Stephen Gallagher: Ok, so here's an explanation of the security implications of this bug. The automatic ticket renewal service in SSSD operates by providing the active credential cache to the kerberos libraries in order to renew the user's TGT on their behalf by using their existing credentials. Internally, SSSD treats this as a standard authentication, which upon success will update the cached credentials of the user. The side-effect here is that the user's credentials in the context of this renewal are actually the path to the credential cache file, instead of their real password. So as a result, the user's cached credentials have now become a different string. The security issue is that this new cached-credential string is now predictable. Another user on the local system would now be capable of logging in as the first user by performing an 'ls /tmp' and seeing what the first user's cache file is called. The problem gets further complicated if the administrators has modified the SSSD config option 'krb5_ccache_template' to remove the mkstemp() suffix. This would then make the credential cache's name predictable to a network attacker as well.
Note that this issue did not affect sssd packages released with Red Hat Enterprise Linux 6.0. This issue was introduced as part of the rebase to newer upstream sssd version which adds support for automatic kerberos TGT renewals. This issue never affected released non-beta sssd packages in Red Hat Enterprise Linux 6, and hence is not handled as security fix for RHEL-6.
Additional references: https://fedorahosted.org/sssd/ticket/838 http://git.fedorahosted.org/git/?p=sssd.git;a=commitdiff;h=fffdae81651b460f3d2c119c56d5caa09b4de42a
Announcement of the sssd 1.5.7 release: https://fedorahosted.org/pipermail/sssd-devel/2011-April/006138.html