700867 – (CVE-2011-1758) CVE-2011-1758 sssd: automatic TGT renewal overwrites cached password with value of predicatable filename

Bug 700867 (CVE-2011-1758) - CVE-2011-1758 sssd: automatic TGT renewal overwrites cached password with value of predicatable filename

Summary: CVE-2011-1758 sssd: automatic TGT renewal overwrites cached password with val...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2011-1758
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	693818 700858 700891
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-29 16:23 UTC by Vincent Danen
Modified:	2019-09-29 12:44 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-01-10 15:02:00 UTC
Embargoed:

Attachments	(Terms of Use)

Description Vincent Danen 2011-04-29 16:23:53 UTC

A flaw was introduced in SSSD 1.5.0 that, under certain conditions, would have sssd overwrite a cached password with the filename of the kerberos credential store (defined by krb5_ccache_template  in sssd.conf).  This could allow an attacker to gain access to an account without knowing the password if they knew the cached-credential string.

This flaw does not affect earlier versions of SSSD that did not have support for automatic ticket renewal services.

Comment 1 Vincent Danen 2011-04-29 18:27:44 UTC

Created sssd tracking bugs for this issue

Affects: fedora-all [bug 700891]

Comment 2 Vincent Danen 2011-04-29 18:30:55 UTC

From Stephen Gallagher:

Ok, so here's an explanation of the security implications of this bug.

The automatic ticket renewal service in SSSD operates by providing the active
credential cache to the kerberos libraries in order to renew the user's TGT on
their behalf by using their existing credentials. Internally, SSSD treats this
as a standard authentication, which upon success will update the cached
credentials of the user.

The side-effect here is that the user's credentials in the context of this
renewal are actually the path to the credential cache file, instead of their
real password. So as a result, the user's cached credentials have now become a
different string.

The security issue is that this new cached-credential string is now
predictable. Another user on the local system would now be capable of logging
in as the first user by performing an 'ls /tmp' and seeing what the first
user's cache file is called.

The problem gets further complicated if the administrators has modified the
SSSD config option 'krb5_ccache_template' to remove the mkstemp() suffix. This
would then make the credential cache's name predictable to a network attacker
as well.

Comment 3 Vincent Danen 2011-04-29 18:31:14 UTC

Note that this issue did not affect sssd packages released with Red Hat
Enterprise Linux 6.0.  This issue was introduced as part of the rebase to newer
upstream sssd version which adds support for automatic kerberos TGT renewals.

This issue never affected released non-beta sssd packages in Red Hat Enterprise
Linux 6, and hence is not handled as security fix for RHEL-6.

Comment 4 Vincent Danen 2011-04-29 18:32:03 UTC

Additional references:

https://fedorahosted.org/sssd/ticket/838
http://git.fedorahosted.org/git/?p=sssd.git;a=commitdiff;h=fffdae81651b460f3d2c119c56d5caa09b4de42a

Comment 5 Tomas Hoger 2011-04-29 19:26:51 UTC

Announcement of the sssd 1.5.7 release:
https://fedorahosted.org/pipermail/sssd-devel/2011-April/006138.html

Note You need to log in before you can comment on or make changes to this bug.