Amazon Linux AMI update for sssd

Published: 2019-10-10
Severity Low
Patch available YES
Number of vulnerabilities 2
CVE ID CVE-2019-3811
CVE-2018-16838
CWE ID CWE-284
CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software Amazon Linux AMI Subscribe
Vendor Amazon Web Services, Inc.

Security Advisory

1) Improper access control

Severity: Low

CVSSv3: 4.8 [CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-3811

CWE-ID: CWE-284 - Improper Access Control

Description

The vulnerability allows an adjacent authenticated attacker to bypass security restrictions.

The vulnerability exists due to the return of '/' (the root directory) instead of '' (the empty string / no home directory) if a user was configured with no home directory set. An adjacent attacker can bypass services that restrict the user's filesystem access to within their home directory through chroot().

Mitigation

Update the affected packages:

i686:
    sssd-libwbclient-1.16.4-21.25.amzn1.i686
    libsss_sudo-1.16.4-21.25.amzn1.i686
    sssd-winbind-idmap-1.16.4-21.25.amzn1.i686
    sssd-ldap-1.16.4-21.25.amzn1.i686
    libsss_simpleifp-1.16.4-21.25.amzn1.i686
    sssd-krb5-common-1.16.4-21.25.amzn1.i686
    sssd-dbus-1.16.4-21.25.amzn1.i686
    sssd-common-pac-1.16.4-21.25.amzn1.i686
    sssd-libwbclient-devel-1.16.4-21.25.amzn1.i686
    libsss_certmap-devel-1.16.4-21.25.amzn1.i686
    libsss_simpleifp-devel-1.16.4-21.25.amzn1.i686
    python27-libsss_nss_idmap-1.16.4-21.25.amzn1.i686
    sssd-common-1.16.4-21.25.amzn1.i686
    libsss_autofs-1.16.4-21.25.amzn1.i686
    sssd-tools-1.16.4-21.25.amzn1.i686
    sssd-ipa-1.16.4-21.25.amzn1.i686
    sssd-ad-1.16.4-21.25.amzn1.i686
    python27-sss-1.16.4-21.25.amzn1.i686
    libsss_idmap-1.16.4-21.25.amzn1.i686
    sssd-1.16.4-21.25.amzn1.i686
    libipa_hbac-1.16.4-21.25.amzn1.i686
    sssd-client-1.16.4-21.25.amzn1.i686
    libipa_hbac-devel-1.16.4-21.25.amzn1.i686
    libsss_nss_idmap-1.16.4-21.25.amzn1.i686
    sssd-proxy-1.16.4-21.25.amzn1.i686
    sssd-debuginfo-1.16.4-21.25.amzn1.i686
    libsss_certmap-1.16.4-21.25.amzn1.i686
    libsss_idmap-devel-1.16.4-21.25.amzn1.i686
    python27-libipa_hbac-1.16.4-21.25.amzn1.i686
    sssd-krb5-1.16.4-21.25.amzn1.i686
    libsss_nss_idmap-devel-1.16.4-21.25.amzn1.i686
    python27-sss-murmur-1.16.4-21.25.amzn1.i686

noarch:
    python27-sssdconfig-1.16.4-21.25.amzn1.noarch

src:
    sssd-1.16.4-21.25.amzn1.src

x86_64:
    sssd-tools-1.16.4-21.25.amzn1.x86_64
    sssd-ipa-1.16.4-21.25.amzn1.x86_64
    sssd-krb5-1.16.4-21.25.amzn1.x86_64
    libsss_simpleifp-devel-1.16.4-21.25.amzn1.x86_64
    sssd-winbind-idmap-1.16.4-21.25.amzn1.x86_64
    sssd-1.16.4-21.25.amzn1.x86_64
    sssd-libwbclient-devel-1.16.4-21.25.amzn1.x86_64
    libsss_idmap-1.16.4-21.25.amzn1.x86_64
    libsss_nss_idmap-devel-1.16.4-21.25.amzn1.x86_64
    libipa_hbac-1.16.4-21.25.amzn1.x86_64
    sssd-debuginfo-1.16.4-21.25.amzn1.x86_64
    libipa_hbac-devel-1.16.4-21.25.amzn1.x86_64
    libsss_nss_idmap-1.16.4-21.25.amzn1.x86_64
    libsss_sudo-1.16.4-21.25.amzn1.x86_64
    python27-libsss_nss_idmap-1.16.4-21.25.amzn1.x86_64
    python27-sss-murmur-1.16.4-21.25.amzn1.x86_64
    libsss_autofs-1.16.4-21.25.amzn1.x86_64
    sssd-common-pac-1.16.4-21.25.amzn1.x86_64
    sssd-ldap-1.16.4-21.25.amzn1.x86_64
    sssd-client-1.16.4-21.25.amzn1.x86_64
    python27-libipa_hbac-1.16.4-21.25.amzn1.x86_64
    sssd-libwbclient-1.16.4-21.25.amzn1.x86_64
    python27-sss-1.16.4-21.25.amzn1.x86_64
    sssd-krb5-common-1.16.4-21.25.amzn1.x86_64
    sssd-ad-1.16.4-21.25.amzn1.x86_64
    sssd-dbus-1.16.4-21.25.amzn1.x86_64
    libsss_certmap-1.16.4-21.25.amzn1.x86_64
    sssd-proxy-1.16.4-21.25.amzn1.x86_64
    sssd-common-1.16.4-21.25.amzn1.x86_64
    libsss_certmap-devel-1.16.4-21.25.amzn1.x86_64
    libsss_simpleifp-1.16.4-21.25.amzn1.x86_64
    libsss_idmap-devel-1.16.4-21.25.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: 2017.03

CPE External links

https://alas.aws.amazon.com/ALAS-2019-1307.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Security restrictions bypass

Severity: Low

CVSSv3: 5.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:U/RC:C] [PCI]

CVE-ID: CVE-2018-16838

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the system.

The vulnerability exists due to a flaw in sssd Group Policy Objects implementation when the GPO is not readable by SSSD due to a too strict permission settings on the server side. A remote attacker can bypass security restrictions.

Mitigation

Update the affected packages:

i686:
    sssd-libwbclient-1.16.4-21.25.amzn1.i686
    libsss_sudo-1.16.4-21.25.amzn1.i686
    sssd-winbind-idmap-1.16.4-21.25.amzn1.i686
    sssd-ldap-1.16.4-21.25.amzn1.i686
    libsss_simpleifp-1.16.4-21.25.amzn1.i686
    sssd-krb5-common-1.16.4-21.25.amzn1.i686
    sssd-dbus-1.16.4-21.25.amzn1.i686
    sssd-common-pac-1.16.4-21.25.amzn1.i686
    sssd-libwbclient-devel-1.16.4-21.25.amzn1.i686
    libsss_certmap-devel-1.16.4-21.25.amzn1.i686
    libsss_simpleifp-devel-1.16.4-21.25.amzn1.i686
    python27-libsss_nss_idmap-1.16.4-21.25.amzn1.i686
    sssd-common-1.16.4-21.25.amzn1.i686
    libsss_autofs-1.16.4-21.25.amzn1.i686
    sssd-tools-1.16.4-21.25.amzn1.i686
    sssd-ipa-1.16.4-21.25.amzn1.i686
    sssd-ad-1.16.4-21.25.amzn1.i686
    python27-sss-1.16.4-21.25.amzn1.i686
    libsss_idmap-1.16.4-21.25.amzn1.i686
    sssd-1.16.4-21.25.amzn1.i686
    libipa_hbac-1.16.4-21.25.amzn1.i686
    sssd-client-1.16.4-21.25.amzn1.i686
    libipa_hbac-devel-1.16.4-21.25.amzn1.i686
    libsss_nss_idmap-1.16.4-21.25.amzn1.i686
    sssd-proxy-1.16.4-21.25.amzn1.i686
    sssd-debuginfo-1.16.4-21.25.amzn1.i686
    libsss_certmap-1.16.4-21.25.amzn1.i686
    libsss_idmap-devel-1.16.4-21.25.amzn1.i686
    python27-libipa_hbac-1.16.4-21.25.amzn1.i686
    sssd-krb5-1.16.4-21.25.amzn1.i686
    libsss_nss_idmap-devel-1.16.4-21.25.amzn1.i686
    python27-sss-murmur-1.16.4-21.25.amzn1.i686

noarch:
    python27-sssdconfig-1.16.4-21.25.amzn1.noarch

src:
    sssd-1.16.4-21.25.amzn1.src

x86_64:
    sssd-tools-1.16.4-21.25.amzn1.x86_64
    sssd-ipa-1.16.4-21.25.amzn1.x86_64
    sssd-krb5-1.16.4-21.25.amzn1.x86_64
    libsss_simpleifp-devel-1.16.4-21.25.amzn1.x86_64
    sssd-winbind-idmap-1.16.4-21.25.amzn1.x86_64
    sssd-1.16.4-21.25.amzn1.x86_64
    sssd-libwbclient-devel-1.16.4-21.25.amzn1.x86_64
    libsss_idmap-1.16.4-21.25.amzn1.x86_64
    libsss_nss_idmap-devel-1.16.4-21.25.amzn1.x86_64
    libipa_hbac-1.16.4-21.25.amzn1.x86_64
    sssd-debuginfo-1.16.4-21.25.amzn1.x86_64
    libipa_hbac-devel-1.16.4-21.25.amzn1.x86_64
    libsss_nss_idmap-1.16.4-21.25.amzn1.x86_64
    libsss_sudo-1.16.4-21.25.amzn1.x86_64
    python27-libsss_nss_idmap-1.16.4-21.25.amzn1.x86_64
    python27-sss-murmur-1.16.4-21.25.amzn1.x86_64
    libsss_autofs-1.16.4-21.25.amzn1.x86_64
    sssd-common-pac-1.16.4-21.25.amzn1.x86_64
    sssd-ldap-1.16.4-21.25.amzn1.x86_64
    sssd-client-1.16.4-21.25.amzn1.x86_64
    python27-libipa_hbac-1.16.4-21.25.amzn1.x86_64
    sssd-libwbclient-1.16.4-21.25.amzn1.x86_64
    python27-sss-1.16.4-21.25.amzn1.x86_64
    sssd-krb5-common-1.16.4-21.25.amzn1.x86_64
    sssd-ad-1.16.4-21.25.amzn1.x86_64
    sssd-dbus-1.16.4-21.25.amzn1.x86_64
    libsss_certmap-1.16.4-21.25.amzn1.x86_64
    sssd-proxy-1.16.4-21.25.amzn1.x86_64
    sssd-common-1.16.4-21.25.amzn1.x86_64
    libsss_certmap-devel-1.16.4-21.25.amzn1.x86_64
    libsss_simpleifp-1.16.4-21.25.amzn1.x86_64
    libsss_idmap-devel-1.16.4-21.25.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: 2017.03

CPE External links

https://alas.aws.amazon.com/ALAS-2019-1307.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.