1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202407-05 ] SSSD: Command Injection

    From glsamaker@gentoo.org@21:1/5 to All on Mon Jul 1 08:20:01 2024
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202407-05
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: SSSD: Command Injection
    Date: July 01, 2024
    Bugs: #808911
    ID: 202407-05

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in SSSD, which can lead to arbitrary
    code execution.

    Background
    ==========

    SSSD provides a set of daemons to manage access to remote directories
    and authentication mechanisms such as LDAP, Kerberos or FreeIPA. It
    provides an NSS and PAM interface toward the system and a pluggable
    backend system to connect to multiple different account sources.

    Affected packages
    =================

    Package Vulnerable Unaffected
    ------------- ------------ ------------
    sys-auth/sssd < 2.5.2-r1 >= 2.5.2-r1

    Description
    ===========

    A vulnerability has been discovered in SSSD. Please review the CVE
    identifier referenced below for details.

    Impact
    ======

    A flaw was found in SSSD, where the sssctl command was vulnerable to
    shell command injection via the logs-fetch and cache-expire subcommands.
    This flaw allows an attacker to trick the root user into running a
    specially crafted sssctl command, such as via sudo, to gain root access.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All SSSD users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sys-auth/sssd-2.5.2-r1"

    References
    ==========

    [ 1 ] CVE-2021-3621
    https://nvd.nist.gov/vuln/detail/CVE-2021-3621

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202407-05

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2024 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmaCRYcACgkQFMQkOaVy +9luMA/+IpuS7qcqJHDPMRqD8UyVKWVyF8PsIS1FY3Et6NM/IsGRi1n0eqMFHEUQ TQFZCAl2pSLwDnaOIJEQdPR3ALh4bPvN8zyj+hu/VS1jk0EhUvFq612JAPWmhwI9 5/T0BzL7YhHLvLjCtRvb3Tb4Tt1sej8GtNhmLI6hVkiixHQizgXOsSVRnxEVjkBE 36PGman6SVzKB36X+uNb4ACG/xEJOv0oUIJr3y3eVm6j+oensbGvJJ3kN6VPqOGN eziDNZgh0qS2eNc233/VqTkoxW+cf8L4UVOhFUMFk3Qcs4pA1T4SSE6z+fLegSnt 8xY7XASCpF5aFptB/640DAKhHZ/oUMpPVEOFwjGgClbYmw8chRdqhMRDFq8Km62k CKVPBrvH/u1E24YOVBlrJAv3v2Ko/1Y9cbxkDLjJ4G2grOBU19kWREXzBhM65BKq yHyhnK/84fEzdnRnTXqOCbH2UlAMnl8YsX9u+lqz5ksq5fWCwJFmyTStS0LFyMGE +FCgFD4WcPoQvJ0+pxiGkkYi6nr7TenDUpmboc4Y9Z4YOY6HZIU4v0jw4PLw3LiB h/mzdd4Ajaf0K/0jlIGcpC7YUVUabXDJbSWnrJ9FfvYL2TNatYpwKzaMOEvEdTvw Mqr/IUJp5ja3RmgC5SEUIrk+dJfdghxaefOkEulDsAX1plI3OEk=
    =UaKE
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)