Detections
Analytics

Scientific Linux Security Update : sssd on SL7.x x86_64 (20151119)

medium Nessus Plugin ID 87575

Language:

Synopsis

The remote Scientific Linux host is missing one or more security updates.

Description

It was found that SSSD's Privilege Attribute Certificate (PAC) responder plug-in would leak a small amount of memory on each authentication request. A remote attacker could potentially use this flaw to exhaust all available memory on the system by making repeated requests to a Kerberized daemon application configured to authenticate using the PAC responder plug-in. (CVE-2015-5292)

The sssd packages have been upgraded to upstream version 1.13.0, which provides a number of bug fixes and enhancements over the previous version.

 - SSSD smart card support * Cache authentication in SSSD * SSSD supports overriding automatically discovered AD site * SSSD can now deny SSH access to locked accounts * SSSD enables UID and GID mapping on individual clients * Background refresh of cached entries * Multi-step prompting for one-time and long-term passwords * Caching for initgroups operations

Bugs fixed :

 - When the SELinux user content on an IdM server was set to an empty string, the SSSD SELinux evaluation utility returned an error.

 - If the ldap_child process failed to initialize credentials and exited with an error multiple times, operations that create files in some cases started failing due to an insufficient amount of i-nodes.

 - The SRV queries used a hard-coded TTL timeout, and environments that wanted the SRV queries to be valid for a certain time only were blocked. Now, SSSD parses the TTL value out of the DNS packet.

 - Previously, initgroups operation took an excessive amount of time. Now, logins and ID processing are faster for setups with AD back end and disabled ID mapping.

 - When an IdM client with Scientific Linux 7.1 or later was connecting to a server with Scientific Linux 7.0 or earlier, authentication with an AD trusted domain caused the sssd_be process to terminate unexpectedly.

 - If replication conflict entries appeared during HBAC processing, the user was denied access. Now, the replication conflict entries are skipped and users are permitted access.

 - The array of SIDs no longer contains an uninitialized value and SSSD no longer crashes.

 - SSSD supports GPOs from different domain controllers and no longer crashes when processing GPOs from different domain controllers.

 - SSSD could not refresh sudo rules that contained groups with special characters, such as parentheses, in their name.

 - The IPA names are not qualified on the client side if the server already qualified them, and IdM group members resolve even if default_domain_suffix is used on the server side.

 - The internal cache cleanup task has been disabled by default to improve performance of the sssd_be process.

 - Now, default_domain_suffix is not considered anymore for autofs maps.

 - The user can set subdomain_inherit=ignore_group-members to disable fetching group members for trusted domains.

 - The group resolution failed with an error message:
 'Error: 14 (Bad address)'. The binary GUID handling has been fixed.

Enhancements added :

 - The description of default_domain_suffix has been improved in the manual pages.

 - With the new '%0' template option, users on SSSD IdM clients can now use home directories set on AD.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?b620618f

Plugin Details

Severity: Medium

ID: 87575

File Name: sl_20151119_sssd_on_SL7_x.nasl

Version: 2.5

Type: local

Agent: unix

Published: 12/22/2015

Updated: 1/14/2021

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

Vulnerability Information

CPE: p-cpe:/a:fermilab:scientific_linux:libipa_hbac, p-cpe:/a:fermilab:scientific_linux:libipa_hbac-devel, p-cpe:/a:fermilab:scientific_linux:libsss_idmap, p-cpe:/a:fermilab:scientific_linux:libsss_idmap-devel, p-cpe:/a:fermilab:scientific_linux:libsss_nss_idmap, p-cpe:/a:fermilab:scientific_linux:libsss_nss_idmap-devel, p-cpe:/a:fermilab:scientific_linux:libsss_simpleifp, p-cpe:/a:fermilab:scientific_linux:libsss_simpleifp-devel, p-cpe:/a:fermilab:scientific_linux:python-libipa_hbac, p-cpe:/a:fermilab:scientific_linux:python-libsss_nss_idmap, p-cpe:/a:fermilab:scientific_linux:python-sss, p-cpe:/a:fermilab:scientific_linux:python-sss-murmur, p-cpe:/a:fermilab:scientific_linux:python-sssdconfig, p-cpe:/a:fermilab:scientific_linux:sssd, p-cpe:/a:fermilab:scientific_linux:sssd-ad, p-cpe:/a:fermilab:scientific_linux:sssd-client, p-cpe:/a:fermilab:scientific_linux:sssd-common, p-cpe:/a:fermilab:scientific_linux:sssd-common-pac, p-cpe:/a:fermilab:scientific_linux:sssd-dbus, p-cpe:/a:fermilab:scientific_linux:sssd-debuginfo, p-cpe:/a:fermilab:scientific_linux:sssd-ipa, p-cpe:/a:fermilab:scientific_linux:sssd-krb5, p-cpe:/a:fermilab:scientific_linux:sssd-krb5-common, p-cpe:/a:fermilab:scientific_linux:sssd-ldap, p-cpe:/a:fermilab:scientific_linux:sssd-libwbclient, p-cpe:/a:fermilab:scientific_linux:sssd-libwbclient-devel, p-cpe:/a:fermilab:scientific_linux:sssd-proxy, p-cpe:/a:fermilab:scientific_linux:sssd-tools, x-cpe:/o:fermilab:scientific_linux

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Patch Publication Date: 11/19/2015

Vulnerability Publication Date: 10/29/2015

Reference Information

CVE: CVE-2015-5292