Vigil@nce - SSSD: user impersonation via select_principal_from_keytab
May 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
After the renewal of a ticket by SSSD, an attacker can obtain the
identity of a valid user.
Severity: 2/4
Creation date: 06/05/2011
IMPACTED PRODUCTS
– Fedora
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The SSSD service (System Security Services Daemon) processes the
user identity and authentication management.
When users authenticate via SSSD, they can obtain a Kerberos TGT
ticket which is stored in a file cache system. The SSSD service
automatically renews this ticket.
However, during the renewal process, the SSSD service overwrites
the cached password with the path of the cache file, due to an
error in the select_principal_from_keytab() function. The password
thus become predictable (it can be read via "ls /tmp" for
example). Moreover, if the administrator suppressed the mkstemp
suffix of the krb5_ccache_template, the new password does not
contain a random part.
After the renewal of a ticket by SSSD, an attacker can therefore
obtain the identity of a valid user.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/SSSD-user-impersonation-via-select-principal-from-keytab-10622