Bug 700867 - (CVE-2011-1758) CVE-2011-1758 sssd: automatic TGT renewal overwrites cached password with value of predicatable filename
CVE-2011-1758 sssd: automatic TGT renewal overwrites cached password with val...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 693818 700858 700891
  Show dependency treegraph
Reported: 2011-04-29 12:23 EDT by Vincent Danen
Modified: 2017-01-10 10:02 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-01-10 10:02:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-04-29 12:23:53 EDT
A flaw was introduced in SSSD 1.5.0 that, under certain conditions, would have sssd overwrite a cached password with the filename of the kerberos credential store (defined by krb5_ccache_template  in sssd.conf).  This could allow an attacker to gain access to an account without knowing the password if they knew the cached-credential string.

This flaw does not affect earlier versions of SSSD that did not have support for automatic ticket renewal services.
Comment 1 Vincent Danen 2011-04-29 14:27:44 EDT
Created sssd tracking bugs for this issue

Affects: fedora-all [bug 700891]
Comment 2 Vincent Danen 2011-04-29 14:30:55 EDT
From Stephen Gallagher:

Ok, so here's an explanation of the security implications of this bug.

The automatic ticket renewal service in SSSD operates by providing the active
credential cache to the kerberos libraries in order to renew the user's TGT on
their behalf by using their existing credentials. Internally, SSSD treats this
as a standard authentication, which upon success will update the cached
credentials of the user.

The side-effect here is that the user's credentials in the context of this
renewal are actually the path to the credential cache file, instead of their
real password. So as a result, the user's cached credentials have now become a
different string.

The security issue is that this new cached-credential string is now
predictable. Another user on the local system would now be capable of logging
in as the first user by performing an 'ls /tmp' and seeing what the first
user's cache file is called.

The problem gets further complicated if the administrators has modified the
SSSD config option 'krb5_ccache_template' to remove the mkstemp() suffix. This
would then make the credential cache's name predictable to a network attacker
as well.
Comment 3 Vincent Danen 2011-04-29 14:31:14 EDT
Note that this issue did not affect sssd packages released with Red Hat
Enterprise Linux 6.0.  This issue was introduced as part of the rebase to newer
upstream sssd version which adds support for automatic kerberos TGT renewals.

This issue never affected released non-beta sssd packages in Red Hat Enterprise
Linux 6, and hence is not handled as security fix for RHEL-6.
Comment 5 Tomas Hoger 2011-04-29 15:26:51 EDT
Announcement of the sssd 1.5.7 release:

Note You need to log in before you can comment on or make changes to this bug.