Bug 700867 (CVE-2011-1758) - CVE-2011-1758 sssd: automatic TGT renewal overwrites cached password with value of predicatable filename
Summary: CVE-2011-1758 sssd: automatic TGT renewal overwrites cached password with val...
Alias: CVE-2011-1758
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 693818 700858 700891
TreeView+ depends on / blocked
Reported: 2011-04-29 16:23 UTC by Vincent Danen
Modified: 2019-09-29 12:44 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2017-01-10 15:02:00 UTC

Attachments (Terms of Use)

Description Vincent Danen 2011-04-29 16:23:53 UTC
A flaw was introduced in SSSD 1.5.0 that, under certain conditions, would have sssd overwrite a cached password with the filename of the kerberos credential store (defined by krb5_ccache_template  in sssd.conf).  This could allow an attacker to gain access to an account without knowing the password if they knew the cached-credential string.

This flaw does not affect earlier versions of SSSD that did not have support for automatic ticket renewal services.

Comment 1 Vincent Danen 2011-04-29 18:27:44 UTC
Created sssd tracking bugs for this issue

Affects: fedora-all [bug 700891]

Comment 2 Vincent Danen 2011-04-29 18:30:55 UTC
From Stephen Gallagher:

Ok, so here's an explanation of the security implications of this bug.

The automatic ticket renewal service in SSSD operates by providing the active
credential cache to the kerberos libraries in order to renew the user's TGT on
their behalf by using their existing credentials. Internally, SSSD treats this
as a standard authentication, which upon success will update the cached
credentials of the user.

The side-effect here is that the user's credentials in the context of this
renewal are actually the path to the credential cache file, instead of their
real password. So as a result, the user's cached credentials have now become a
different string.

The security issue is that this new cached-credential string is now
predictable. Another user on the local system would now be capable of logging
in as the first user by performing an 'ls /tmp' and seeing what the first
user's cache file is called.

The problem gets further complicated if the administrators has modified the
SSSD config option 'krb5_ccache_template' to remove the mkstemp() suffix. This
would then make the credential cache's name predictable to a network attacker
as well.

Comment 3 Vincent Danen 2011-04-29 18:31:14 UTC
Note that this issue did not affect sssd packages released with Red Hat
Enterprise Linux 6.0.  This issue was introduced as part of the rebase to newer
upstream sssd version which adds support for automatic kerberos TGT renewals.

This issue never affected released non-beta sssd packages in Red Hat Enterprise
Linux 6, and hence is not handled as security fix for RHEL-6.

Comment 5 Tomas Hoger 2011-04-29 19:26:51 UTC
Announcement of the sssd 1.5.7 release:

Note You need to log in before you can comment on or make changes to this bug.