Red Hat Bugzilla – Bug 700867
CVE-2011-1758 sssd: automatic TGT renewal overwrites cached password with value of predicatable filename
Last modified: 2017-01-10 10:02:00 EST
A flaw was introduced in SSSD 1.5.0 that, under certain conditions, would have sssd overwrite a cached password with the filename of the kerberos credential store (defined by krb5_ccache_template in sssd.conf). This could allow an attacker to gain access to an account without knowing the password if they knew the cached-credential string.
This flaw does not affect earlier versions of SSSD that did not have support for automatic ticket renewal services.
Created sssd tracking bugs for this issue
Affects: fedora-all [bug 700891]
From Stephen Gallagher:
Ok, so here's an explanation of the security implications of this bug.
The automatic ticket renewal service in SSSD operates by providing the active
credential cache to the kerberos libraries in order to renew the user's TGT on
their behalf by using their existing credentials. Internally, SSSD treats this
as a standard authentication, which upon success will update the cached
credentials of the user.
The side-effect here is that the user's credentials in the context of this
renewal are actually the path to the credential cache file, instead of their
real password. So as a result, the user's cached credentials have now become a
The security issue is that this new cached-credential string is now
predictable. Another user on the local system would now be capable of logging
in as the first user by performing an 'ls /tmp' and seeing what the first
user's cache file is called.
The problem gets further complicated if the administrators has modified the
SSSD config option 'krb5_ccache_template' to remove the mkstemp() suffix. This
would then make the credential cache's name predictable to a network attacker
Note that this issue did not affect sssd packages released with Red Hat
Enterprise Linux 6.0. This issue was introduced as part of the rebase to newer
upstream sssd version which adds support for automatic kerberos TGT renewals.
This issue never affected released non-beta sssd packages in Red Hat Enterprise
Linux 6, and hence is not handled as security fix for RHEL-6.
Announcement of the sssd 1.5.7 release: