Bug 1659862 (CVE-2018-16883) - CVE-2018-16883 sssd: Information leak in infopipe due to an improper uid restriction
Summary: CVE-2018-16883 sssd: Information leak in infopipe due to an improper uid rest...
Status: NEW
Alias: CVE-2018-16883
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20181219,reported=2...
Keywords: Security
Depends On: 1660687 1660688
Blocks: 1647171
TreeView+ depends on / blocked
 
Reported: 2018-12-17 04:24 UTC by Doran Moppert
Modified: 2018-12-20 19:49 UTC (History)
15 users (show)

Fixed In Version: sssd 2.0.0
Doc Type: If docs needed, set a value
Doc Text:
sssd, versions 1.13.0 to before 2.0.0, did not properly restrict access to the infopipe according to the "allowed_uids" configuration parameter. Sensitive information could be inadvertently disclosed to local attackers if it was stored in the user directory.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Doran Moppert 2018-12-17 04:24:55 UTC
It was discovered that sssd versions prior to 2.0.0 did not properly restrict access to the infopipe according to the "allowed_uids" parameter.  If sensitive information were stored in the user directory, this could be inadvertently disclosed to local attackers.

Comment 1 Doran Moppert 2018-12-17 04:24:57 UTC
Acknowledgments:

Name: Christian Heimes (Red Hat)

Comment 3 Doran Moppert 2018-12-17 05:39:38 UTC
Mitigation:

This vulnerability is only exposed if the infopipe service is enabled (enabled by default in Red Hat Enterprise Linux 7, disabled by default in Red Hat Enterprise Linux 6), and `[ifp].allowed_uids` is relied upon to protect sensitive information in the user directory.

Comment 4 Doran Moppert 2018-12-19 01:13:54 UTC
This flaw was first present in sssd upstream release 1.13.0, and fixed in 2.0.0 as the result of re-factoring related code.

Comment 5 Doran Moppert 2018-12-19 01:23:15 UTC
Created sssd tracking bugs for this issue:

Affects: fedora-all [bug 1660688]

Comment 7 Markus Koschany 2018-12-20 14:47:52 UTC
Could you tells us what specific commit fixed CVE-2018-16883?

Comment 8 Jakub Hrozek 2018-12-20 19:26:24 UTC
(In reply to Markus Koschany from comment #7)
> Could you tells us what specific commit fixed CVE-2018-16883?

yes, but it's not going to be useful: fbe2476a3dd9be83ffa85c29dca26f734618d72d

As you can see, the CVE was fixed 'by accident' as part of a large refactoring. We'll provide fixes for this CVE for older branches in early January. Nonetheless, by default, the ifp interface only exposes the same attributes getpw* and getgr* expose, so I don't think the issue is really critical.

Comment 9 Markus Koschany 2018-12-20 19:49:07 UTC
Thank you for the quick response.


Note You need to log in before you can comment on or make changes to this bug.