Scientific Linux Security Update : sssd on SL7.x x86_64

Medium Nessus Plugin ID 87575

Synopsis

The remote Scientific Linux host is missing one or more security updates.

Description

It was found that SSSD's Privilege Attribute Certificate (PAC) responder plug-in would leak a small amount of memory on each authentication request. A remote attacker could potentially use this flaw to exhaust all available memory on the system by making repeated requests to a Kerberized daemon application configured to authenticate using the PAC responder plug-in. (CVE-2015-5292)

The sssd packages have been upgraded to upstream version 1.13.0, which provides a number of bug fixes and enhancements over the previous version.

- SSSD smart card support * Cache authentication in SSSD * SSSD supports overriding automatically discovered AD site * SSSD can now deny SSH access to locked accounts * SSSD enables UID and GID mapping on individual clients * Background refresh of cached entries * Multi-step prompting for one-time and long-term passwords * Caching for initgroups operations

Bugs fixed :

- When the SELinux user content on an IdM server was set to an empty string, the SSSD SELinux evaluation utility returned an error.

- If the ldap_child process failed to initialize credentials and exited with an error multiple times, operations that create files in some cases started failing due to an insufficient amount of i-nodes.

- The SRV queries used a hard-coded TTL timeout, and environments that wanted the SRV queries to be valid for a certain time only were blocked. Now, SSSD parses the TTL value out of the DNS packet.

- Previously, initgroups operation took an excessive amount of time. Now, logins and ID processing are faster for setups with AD back end and disabled ID mapping.

- When an IdM client with Scientific Linux 7.1 or later was connecting to a server with Scientific Linux 7.0 or earlier, authentication with an AD trusted domain caused the sssd_be process to terminate unexpectedly.

- If replication conflict entries appeared during HBAC processing, the user was denied access. Now, the replication conflict entries are skipped and users are permitted access.

- The array of SIDs no longer contains an uninitialized value and SSSD no longer crashes.

- SSSD supports GPOs from different domain controllers and no longer crashes when processing GPOs from different domain controllers.

- SSSD could not refresh sudo rules that contained groups with special characters, such as parentheses, in their name.

- The IPA names are not qualified on the client side if the server already qualified them, and IdM group members resolve even if default_domain_suffix is used on the server side.

- The internal cache cleanup task has been disabled by default to improve performance of the sssd_be process.

- Now, default_domain_suffix is not considered anymore for autofs maps.

- The user can set subdomain_inherit=ignore_group-members to disable fetching group members for trusted domains.

- The group resolution failed with an error message:
'Error: 14 (Bad address)'. The binary GUID handling has been fixed.

Enhancements added :

- The description of default_domain_suffix has been improved in the manual pages.

- With the new '%0' template option, users on SSSD IdM clients can now use home directories set on AD.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?b620618f

Plugin Details

Severity: Medium

ID: 87575

File Name: sl_20151119_sssd_on_SL7_x.nasl

Version: 2.2

Type: local

Agent: unix

Published: 2015/12/22

Updated: 2018/12/28

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

Vulnerability Information

CPE: x-cpe:/o:fermilab:scientific_linux

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 2015/11/19

Reference Information

CVE: CVE-2015-5292