openSUSE-SU-2019:0344

openSUSE-SU-2019:1174

106644

RHSA-2019:2177

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3811

[debian-lts-announce] 20190117 [SECURITY] [DLA 1635-1] sssd security update

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has sssd packages installed that are affected by multiple vulnerabilities:

  - A vulnerability was found in sssd. If a user was     configured with no home directory set, sssd would return     '/' (the root directory) instead of '' (the empty string     / no home directory). This could impact services that     restrict the user's filesystem access to within their     home directory through chroot() etc. All versions before     2.1 are vulnerable. (CVE-2019-3811)

  - A flaw was found in sssd Group Policy Objects     implementation. When the GPO is not readable by SSSD due     to a too strict permission settings on the server side,     SSSD will allow all authenticated users to login instead     of denying access. (CVE-2018-16838)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access.(CVE-2018-16838)

A vulnerability was found in sssd where, if a user was configured with no home directory set, sssd would return '/' (the root directory) instead of '' (the empty string / no home directory). This could impact services that restrict the user's filesystem access to within their home directory through chroot().(CVE-2019-3811)

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has sssd packages installed that are affected by multiple vulnerabilities:

  - A vulnerability was found in sssd. If a user was     configured with no home directory set, sssd would return     '/' (the root directory) instead of '' (the empty string     / no home directory). This could impact services that     restrict the user's filesystem access to within their     home directory through chroot() etc. All versions before     2.1 are vulnerable. (CVE-2019-3811)

  - A flaw was found in sssd Group Policy Objects     implementation. When the GPO is not readable by SSSD due     to a too strict permission settings on the server side,     SSSD will allow all authenticated users to login instead     of denying access. (CVE-2018-16838)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the version of the sssd packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - A vulnerability was found in sssd where, if a user was     configured with no home directory set, sssd would     return '/' (the root directory) instead of '' (the     empty string / no home directory). This could impact     services that restrict the user's filesystem access to     within their home directory through     chroot().(CVE-2019-3811)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for sssd is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The System Security Services Daemon (SSSD) service provides a set of daemons to manage access to remote directories and authentication mechanisms. It also provides the Name Service Switch (NSS) and the Pluggable Authentication Modules (PAM) interfaces toward the system, and a pluggable back-end system to connect to multiple different account sources.

The following packages have been upgraded to a later upstream version:
sssd (1.16.4). (BZ#1658994)

Security Fix(es) :

* sssd: fallback_homedir returns '/' for empty home directories in passwd file (CVE-2019-3811)

* sssd: improper implementation of GPOs due to too restrictive permissions (CVE-2018-16838)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

The following packages have been upgraded to a later upstream version:
sssd (1.16.4).

Security Fix(es) :

  - sssd: fallback_homedir returns '/' for empty home     directories in passwd file (CVE-2019-3811)

  - sssd: improper implementation of GPOs due to too     restrictive permissions (CVE-2018-16838)

According to the version of the sssd packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability :

  - A vulnerability was found in sssd where, if a user was     configured with no home directory set, sssd would     return '/' (the root directory) instead of '' (the     empty string / no home directory). This could impact     services that restrict the user's filesystem access to     within their home directory through     chroot().(CVE-2019-3811)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for adcli and sssd provides the following improvement :

Security vulnerability fixed :

  - CVE-2019-3811: Fix fallback_homedir returning '/' for     empty home directories (bsc#1121759)

Other fixes :

  - Add an option to disable checking for trusted domains in     the subdomains provider (bsc#1125617)

  - Clear pid file in corner cases (bsc#1127670)

  - Fix child unable to write to log file after SIGHUP     (bsc#1127670)

  - Include adcli in SUSE Linux Enterprise 12 SP3 for     sssd-ad. (fate#326619, bsc#1109849)

The adcli enables sssd to do password renewal when using Active Directory. This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for adcli and sssd provides the following improvement :

Security vulnerability fixed :

CVE-2019-3811: Fix fallback_homedir returning '/' for empty home directories (bsc#1121759)

Other fixes: Add an option to disable checking for trusted domains in the subdomains provider (bsc#1125617)

Clear pid file in corner cases (bsc#1127670)

Fix child unable to write to log file after SIGHUP (bsc#1127670)

Include adcli in SUSE Linux Enterprise 12 SP3 for sssd-ad.
(fate#326619, bsc#1109849)

The adcli enables sssd to do password renewal when using Active Directory.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for sssd fixes the following issues :

Security vulnerability addresed :

  - CVE-2019-3811: Fix fallback_homedir returning '/' for     empty home directories (bsc#1121759)

Other bug fixes and changes :

  - Install logrotate configuration (bsc#1004220)

  - Align systemd service file with upstream, run     interactive and change service type to notify     (bsc#1120852)

  - Fix sssd not starting in foreground mode (bsc#1125277)

  - Strip whitespaces in netgroup triples (bsc#1087320)

This update was imported from the SUSE:SLE-15:Update update project.

This update for sssd fixes the following issues :

Security vulnerabilities addressed :

Fix fallback_homedir returning '/' for empty home directories (CVE-2019-3811) (bsc#1121759)

Create sockets with right permissions (bsc#1098377, CVE-2018-10852)

Other bug fixes and changes: Install logrotate configuration (bsc#1004220)

Strip whitespaces in netgroup triples (bsc#1087320)

Align systemd service file with upstream

  - Run interactive and change service type to notify     (bsc#1120852)

  - Replace deprecated '-f' and use '--logger'

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for sssd fixes the following issues :

Security vulnerability fixed :

CVE-2019-3811: Fix fallback_homedir returning '/' for empty home directories (bsc#1121759)

Other bug fixes and changes: Skip sdap_save_grpmem() if ignore_group_members is set. (bsc#1082568)

Only search for primary group if it is not already cached (bsc#1082568)

Install /var/lib/sss/mc directory to correct sssd cache invalidation behaviour. Spec patch authored by Josef Cejka. (bsc#1039567) to fix a segfault in sudo provider (bsc#977224).

Fix a segfault in sss_cache (bsc#976038).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for sssd fixes the following issues :

Security vulnerability addresed :

CVE-2019-3811: Fix fallback_homedir returning '/' for empty home directories (bsc#1121759)

Other bug fixes and changes: Install logrotate configuration (bsc#1004220)

Align systemd service file with upstream, run interactive and change service type to notify (bsc#1120852)

Fix sssd not starting in foreground mode (bsc#1125277)

Strip whitespaces in netgroup triples (bsc#1087320)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability was found in sssd. If a user was configured with no home directory set, sssd would return '/' (the root directory) instead of '' (the empty string / no home directory). This could impact services that restrict the user's filesystem access to within their home directory through chroot() etc.

For Debian 8 'Jessie', this problem has been fixed in version 1.11.7-3+deb8u2.

We recommend that you upgrade your sssd packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
132447	NewStart CGSL CORE 5.05 / MAIN 5.05 : sssd Multiple Vulnerabilities (NS-SA-2019-0241)	Nessus	NewStart CGSL Local Security Checks	medium
130402	Amazon Linux 2 : sssd (ALAS-2019-1343)	Nessus	Amazon Linux Local Security Checks	medium
129890	NewStart CGSL CORE 5.04 / MAIN 5.04 : sssd Multiple Vulnerabilities (NS-SA-2019-0195)	Nessus	NewStart CGSL Local Security Checks	medium
129797	Amazon Linux AMI : sssd (ALAS-2019-1307)	Nessus	Amazon Linux Local Security Checks	medium
129245	EulerOS 2.0 SP3 : sssd (EulerOS-SA-2019-2052)	Nessus	Huawei Local Security Checks	low
128370	CentOS 7 : sssd (CESA-2019:2177)	Nessus	CentOS Local Security Checks	medium
128264	Scientific Linux Security Update : sssd on SL7.x x86_64 (20190806)	Nessus	Scientific Linux Local Security Checks	medium
127691	RHEL 7 : sssd (RHSA-2019:2177)	Nessus	Red Hat Local Security Checks	medium
126881	EulerOS 2.0 SP2 : sssd (EulerOS-SA-2019-1754)	Nessus	Huawei Local Security Checks	low
126543	EulerOS Virtualization for ARM 64 3.0.2.0 : sssd (EulerOS-SA-2019-1701)	Nessus	Huawei Local Security Checks	low
126296	EulerOS 2.0 SP5 : sssd (EulerOS-SA-2019-1669)	Nessus	Huawei Local Security Checks	low
126287	EulerOS 2.0 SP8 : sssd (EulerOS-SA-2019-1660)	Nessus	Huawei Local Security Checks	low
123991	openSUSE Security Update : sssd (openSUSE-2019-1174)	Nessus	SuSE Local Security Checks	low
123549	SUSE SLED12 / SLES12 Security Update : Recommended update for adcli, sssd (SUSE-SU-2019:0805-1)	Nessus	SuSE Local Security Checks	low
122941	openSUSE Security Update : sssd (openSUSE-2019-344)	Nessus	SuSE Local Security Checks	low
122665	SUSE SLED12 / SLES12 Security Update : sssd (SUSE-SU-2019:0556-1)	Nessus	SuSE Local Security Checks	medium
122663	SUSE SLES12 Security Update : sssd (SUSE-SU-2019:0552-1)	Nessus	SuSE Local Security Checks	low
122645	SUSE SLED15 / SLES15 Security Update : sssd (SUSE-SU-2019:0542-1)	Nessus	SuSE Local Security Checks	low
121233	Debian DLA-1635-1 : sssd security update	Nessus	Debian Local Security Checks	low

CVE-2019-3811

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Tenable Plugins