CVE-2014-0249
First published: Tue May 27 2014(Updated: )
It was reported [1] that SSSD improperly expanded group membership when it encountered a non-POSIX group in the group membership chain. For instance: user -> posix_group1 -> non_posix_group -> posix_group2 With the group memberships noted above, SSSD should include the user as a member of both posix_group1 and posix_group2, however due to the position of the non-POSIX group, SSSD halts processing at it and never reaches posix_group2, leaving the user as a member of posix_group1 and not posix_group2. SSSD has the capability to set a 'deny' ACL for both users and groups, so in a situation like that illustrated above, if posix_group2 was present in a 'deny' ACL, the user would be granted access because they are not shown as having membership in the denied group. This could grant unintended access to certain users in an environment where non-POSIX groups are used in addition to POSIX groups. There is currently no patch to correct this issue. [1] <a href="https://lists.fedorahosted.org/pipermail/sssd-devel/2014-May/019495.html">https://lists.fedorahosted.org/pipermail/sssd-devel/2014-May/019495.html</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/sssd | <1.11.7 | 1.11.7 |
| Fedora Hosted SSSD | =1.11.6 | |
| Red Hat Enterprise Linux | =5 | |
| Red Hat Enterprise Linux | =6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1101751
- https://lists.fedorahosted.org/pipermail/sssd-devel/2014-May/019495.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1101756
- https://fedorahosted.org/sssd/ticket/2343
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.7
- https://git.fedorahosted.org/cgit/sssd.git/commit/?id=0b6b4b7669b46d3d0b0ebefbc0e1621965444717
- https://git.fedorahosted.org/cgit/sssd.git/commit/?id=4da27d52078497c5c095f4a4cd9975fe5c83c330
- https://git.fedorahosted.org/cgit/sssd.git/commit/?id=191d7f7ce3de10d9e19eaa0a6ab3319bcd4ca95d
- https://rhn.redhat.com/errata/RHBA-2014-1375.html
- https://rhn.redhat.com/errata/RHBA-2015-0441.html
Frequently Asked Questions
What is the severity of CVE-2014-0249?
CVE-2014-0249 has been classified as a moderate vulnerability due to improper group membership expansion in SSSD.
How do I fix CVE-2014-0249?
To fix CVE-2014-0249, update SSSD to version 1.11.7 or later.
Which software versions are affected by CVE-2014-0249?
CVE-2014-0249 affects SSSD versions prior to 1.11.7, including versions 1.11.6 and earlier.
What is SSSD and why is CVE-2014-0249 a concern?
SSSD, or System Security Services Daemon, is a service that provides access to identity and authentication resources, making CVE-2014-0249 a concern due to its potential impact on user group membership management.
Is there a workaround for CVE-2014-0249?
There are no recommended workarounds for CVE-2014-0249; updating to the fixed version is advised.
- agent/references
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-0249
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/author
- agent/severity
- agent/weakness
- agent/description
- agent/event
- agent/trending
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/fedoraproject
- canonical/fedora hosted sssd
- version/fedora hosted sssd/1.11.6
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/5
- version/red hat enterprise linux/6.0