RHEL 5 : sssd (RHSA-2013:1319)

medium Nessus Plugin ID 70246

Synopsis

The remote Red Hat host is missing a security update for sssd.

Description

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2013:1319 advisory.

SSSD (System Security Services Daemon) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides NSS (Name Service Switch) and PAM (Pluggable Authentication Modules) interfaces toward the system and a pluggable back end system to connect to multiple different account sources.

A race condition was found in the way SSSD copied and removed user home directories. A local attacker who is able to write into the home directory of a different user who is being removed could use this flaw to perform symbolic link attacks, possibly allowing them to modify and delete arbitrary files with the privileges of the root user. (CVE-2013-0219)

The CVE-2013-0219 issue war discovered by Florian Weimer of the Red Hat Product Security Team.

This update also fixes the following bugs:

* After a paging control was used, memory in the sssd_be process was never freed which led to the growth of the sssd_be process memory usage over time. To fix this bug, the paging control was deallocated after use, and thus the memory usage of the sssd_be process no longer grows. (BZ#820908)

* If the sssd_be process was terminated and recreated while there were authentication requests pending, the sssd_pam process did not recover correctly and did not reconnect to the new sssd_be process. Consequently, the sssd_pam process was seemingly blocked and did not accept any new authentication requests. The sssd_pam process has been fixes so that it reconnects to the new instance of the sssd_be process after the original one terminated unexpectedly. Even after a crash and reconnect, the sssd_pam process now accepts new authentication requests. (BZ#882414)

* When the sssd_be process hung for a while, it was terminated and a new instance was created. If the old instance did not respond to the TERM signal and continued running, SSSD terminated unexpectedly. As a consequence, the user could not log in. SSSD now keeps track of sssd_be subprocesses more effectively, making the restarts of sssd_be more reliable in such scenarios. Users can now log in whenever the sssd_be is restarted and becomes unresponsive. (BZ#886165)

* In case the processing of an LDAP request took longer than the client timeout upon completing the request (60 seconds by default), the PAM client could have accessed memory that was previously freed due to the client timeout being reached. As a result, the sssd_pam process terminated unexpectedly with a segmentation fault. SSSD now ignores an LDAP request result when it detects that the set timeout of this request has been reached. The sssd_pam process no longer crashes in the aforementioned scenario. (BZ#923813)

* When there was a heavy load of users and groups to be saved in cache, SSSD experienced a timeout. Consequently, NSS did not start the backup process properly and it was impossible to log in. A patch has been provided to fix this bug. The SSSD daemon now remains responsive and the login continues as expected. (BZ#805729)

* SSSD kept the file descriptors to the log files open. Consequently, on occasions like moving the actual log file and restarting the back end, SSSD still kept the file descriptors open. SSSD now closes the file descriptor after the child process execution; after a successful back end start, the file descriptor to log files is closed. (BZ#961680)

* While performing access control in the Identity Management back end, SSSD erroneously downloaded the member attribute from the server and then attempted to use it in the cache verbatim. Consequently, the cache attempted to use the member attribute values as if they were pointing to the local cache which was CPU intensive. The member attribute when processing host groups is no longer downloaded and processed. Moreover, the login process is reasonably fast even with large host groups. (BZ#979047)

All sssd users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL sssd package based on the guidance in RHSA-2013:1319.

See Also

http://www.nessus.org/u?c82da8a3

https://access.redhat.com/errata/RHSA-2013:1319

https://access.redhat.com/security/updates/classification/#low

https://bugzilla.redhat.com/show_bug.cgi?id=884254

https://bugzilla.redhat.com/show_bug.cgi?id=961680

https://bugzilla.redhat.com/show_bug.cgi?id=974036

https://bugzilla.redhat.com/show_bug.cgi?id=979047

Plugin Details

Severity: Medium

ID: 70246

File Name: redhat-RHSA-2013-1319.nasl

Version: 1.14

Type: local

Agent: unix

Published: 10/1/2013

Updated: 11/4/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Low

Base Score: 3.7

Temporal Score: 2.7

Vector: CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2013-0219

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:libipa_hbac-python, p-cpe:/a:redhat:enterprise_linux:sssd-tools, p-cpe:/a:redhat:enterprise_linux:libipa_hbac-devel, cpe:/o:redhat:enterprise_linux:5, p-cpe:/a:redhat:enterprise_linux:sssd, p-cpe:/a:redhat:enterprise_linux:libipa_hbac, p-cpe:/a:redhat:enterprise_linux:sssd-client

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 9/30/2013

Vulnerability Publication Date: 2/24/2013

Reference Information

CVE: CVE-2013-0219

BID: 57539

CWE: 367

RHSA: 2013:1319