SUSE update for sssd

1) Race condition

EUVDB-ID: #VU88857

Risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-3758

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to a race condition where the GPO policy is not consistently applied for authenticated users. A remote user can exploit the race and gain unauthorized access to the system.

Mitigation

Update the affected package sssd to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Micro: 5.5

Basesystem Module: 15-SP5

SUSE Linux Enterprise Server for SAP Applications 15: SP5

SUSE Linux Enterprise Server 15: SP5

SUSE Linux Enterprise Real Time 15: SP5

SUSE Linux Enterprise High Performance Computing 15: SP5

SUSE Linux Enterprise Desktop 15: SP5

openSUSE Leap: 15.5

sssd-common-64bit: before 2.5.2-150500.10.17.1

sssd-common-64bit-debuginfo: before 2.5.2-150500.10.17.1

python3-sss-murmur-debuginfo: before 2.5.2-150500.10.17.1

python3-sss-murmur: before 2.5.2-150500.10.17.1

python3-sss_nss_idmap-debuginfo: before 2.5.2-150500.10.17.1

libnfsidmap-sss-debuginfo: before 2.5.2-150500.10.17.1

python3-ipa_hbac: before 2.5.2-150500.10.17.1

libnfsidmap-sss: before 2.5.2-150500.10.17.1

python3-ipa_hbac-debuginfo: before 2.5.2-150500.10.17.1

python3-sss_nss_idmap: before 2.5.2-150500.10.17.1

sssd-common-32bit-debuginfo: before 2.5.2-150500.10.17.1

sssd-common-32bit: before 2.5.2-150500.10.17.1

libipa_hbac0-debuginfo: before 2.5.2-150500.10.17.1

libipa_hbac0: before 2.5.2-150500.10.17.1

libsss_simpleifp0: before 2.5.2-150500.10.17.1

sssd-kcm-debuginfo: before 2.5.2-150500.10.17.1

sssd-proxy: before 2.5.2-150500.10.17.1

sssd-dbus: before 2.5.2-150500.10.17.1

libsss_simpleifp0-debuginfo: before 2.5.2-150500.10.17.1

sssd-kcm: before 2.5.2-150500.10.17.1

python3-sssd-config-debuginfo: before 2.5.2-150500.10.17.1

sssd-tools-debuginfo: before 2.5.2-150500.10.17.1

libsss_nss_idmap-devel: before 2.5.2-150500.10.17.1

sssd-ipa-debuginfo: before 2.5.2-150500.10.17.1

sssd-winbind-idmap: before 2.5.2-150500.10.17.1

sssd-tools: before 2.5.2-150500.10.17.1

sssd-krb5-debuginfo: before 2.5.2-150500.10.17.1

sssd-krb5: before 2.5.2-150500.10.17.1

sssd-ad-debuginfo: before 2.5.2-150500.10.17.1

libsss_certmap-devel: before 2.5.2-150500.10.17.1

python3-sssd-config: before 2.5.2-150500.10.17.1

sssd-ad: before 2.5.2-150500.10.17.1

sssd-ipa: before 2.5.2-150500.10.17.1

libsss_simpleifp-devel: before 2.5.2-150500.10.17.1

libipa_hbac-devel: before 2.5.2-150500.10.17.1

sssd-dbus-debuginfo: before 2.5.2-150500.10.17.1

libsss_idmap-devel: before 2.5.2-150500.10.17.1

sssd-winbind-idmap-debuginfo: before 2.5.2-150500.10.17.1

sssd-proxy-debuginfo: before 2.5.2-150500.10.17.1

libsss_nss_idmap0: before 2.5.2-150500.10.17.1

libsss_certmap0: before 2.5.2-150500.10.17.1

libsss_idmap0: before 2.5.2-150500.10.17.1

sssd-krb5-common: before 2.5.2-150500.10.17.1

sssd-ldap-debuginfo: before 2.5.2-150500.10.17.1

sssd-common-debuginfo: before 2.5.2-150500.10.17.1

sssd: before 2.5.2-150500.10.17.1

libsss_nss_idmap0-debuginfo: before 2.5.2-150500.10.17.1

sssd-debugsource: before 2.5.2-150500.10.17.1

sssd-ldap: before 2.5.2-150500.10.17.1

sssd-krb5-common-debuginfo: before 2.5.2-150500.10.17.1

libsss_certmap0-debuginfo: before 2.5.2-150500.10.17.1

sssd-common: before 2.5.2-150500.10.17.1

libsss_idmap0-debuginfo: before 2.5.2-150500.10.17.1

CPE2.3

• cpe:2.3:o:suse:suse_linux_enterprise_micro:5.5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:basesystem_module:15-SP5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_15:SP5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_15:SP5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_real_time_15:SP5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing_15:SP5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_desktop_15:SP5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:opensuse_leap:15.5:*:*:*:*:*:*:*
• cpe:2.3:a:suse:sssd-common-64bit:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-common-64bit-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:python3-sss-murmur-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:python3-sss-murmur:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:python3-sss_nss_idmap-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:libnfsidmap-sss-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:python3-ipa_hbac:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:libnfsidmap-sss:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:python3-ipa_hbac-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:python3-sss_nss_idmap:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-common-32bit-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-common-32bit:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:libipa_hbac0-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:libipa_hbac0:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:libsss_simpleifp0:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-kcm-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-proxy:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-dbus:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:libsss_simpleifp0-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-kcm:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:python3-sssd-config-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-tools-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:libsss_nss_idmap-devel:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-ipa-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-winbind-idmap:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-tools:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-krb5-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-krb5:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-ad-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:libsss_certmap-devel:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:python3-sssd-config:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-ad:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-ipa:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:libsss_simpleifp-devel:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:libipa_hbac-devel:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-dbus-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:libsss_idmap-devel:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-winbind-idmap-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-proxy-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:libsss_nss_idmap0:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:libsss_certmap0:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:libsss_idmap0:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-krb5-common:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-ldap-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-common-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:libsss_nss_idmap0-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-debugsource:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-ldap:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-krb5-common-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:libsss_certmap0-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:sssd-common:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:libsss_idmap0-debuginfo:*:*:*:*:*:suse_linux:*:*

External links

https://www.suse.com/support/update/announcement/2024/suse-su-20241579-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.