Vulnerabilities > CVE-2013-0219 - Permissions, Privileges, and Access Controls vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

System Security Services Daemon (SSSD) before 1.9.4, when (1) creating, (2) copying, or (3) removing a user home directory tree, allows local users to create, modify, or delete arbitrary files via a symlink attack on another user's files.

Vulnerable Configurations

Part Description Count
Application
Fedoraproject
77
OS
Redhat
2

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.

Nessus

  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2013-1319.NASL
    descriptionFrom Red Hat Security Advisory 2013:1319 : Updated sssd packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. SSSD (System Security Services Daemon) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides NSS (Name Service Switch) and PAM (Pluggable Authentication Modules) interfaces toward the system and a pluggable back end system to connect to multiple different account sources. A race condition was found in the way SSSD copied and removed user home directories. A local attacker who is able to write into the home directory of a different user who is being removed could use this flaw to perform symbolic link attacks, possibly allowing them to modify and delete arbitrary files with the privileges of the root user. (CVE-2013-0219) The CVE-2013-0219 issue war discovered by Florian Weimer of the Red Hat Product Security Team. This update also fixes the following bugs : * After a paging control was used, memory in the sssd_be process was never freed which led to the growth of the sssd_be process memory usage over time. To fix this bug, the paging control was deallocated after use, and thus the memory usage of the sssd_be process no longer grows. (BZ#820908) * If the sssd_be process was terminated and recreated while there were authentication requests pending, the sssd_pam process did not recover correctly and did not reconnect to the new sssd_be process. Consequently, the sssd_pam process was seemingly blocked and did not accept any new authentication requests. The sssd_pam process has been fixes so that it reconnects to the new instance of the sssd_be process after the original one terminated unexpectedly. Even after a crash and reconnect, the sssd_pam process now accepts new authentication requests. (BZ#882414) * When the sssd_be process hung for a while, it was terminated and a new instance was created. If the old instance did not respond to the TERM signal and continued running, SSSD terminated unexpectedly. As a consequence, the user could not log in. SSSD now keeps track of sssd_be subprocesses more effectively, making the restarts of sssd_be more reliable in such scenarios. Users can now log in whenever the sssd_be is restarted and becomes unresponsive. (BZ#886165) * In case the processing of an LDAP request took longer than the client timeout upon completing the request (60 seconds by default), the PAM client could have accessed memory that was previously freed due to the client timeout being reached. As a result, the sssd_pam process terminated unexpectedly with a segmentation fault. SSSD now ignores an LDAP request result when it detects that the set timeout of this request has been reached. The sssd_pam process no longer crashes in the aforementioned scenario. (BZ#923813) * When there was a heavy load of users and groups to be saved in cache, SSSD experienced a timeout. Consequently, NSS did not start the backup process properly and it was impossible to log in. A patch has been provided to fix this bug. The SSSD daemon now remains responsive and the login continues as expected. (BZ#805729) * SSSD kept the file descriptors to the log files open. Consequently, on occasions like moving the actual log file and restarting the back end, SSSD still kept the file descriptors open. SSSD now closes the file descriptor after the child process execution; after a successful back end start, the file descriptor to log files is closed. (BZ#961680) * While performing access control in the Identity Management back end, SSSD erroneously downloaded the
    last seen2020-06-01
    modified2020-06-02
    plugin id70347
    published2013-10-09
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/70347
    titleOracle Linux 5 : sssd (ELSA-2013-1319)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2013:1319 and 
    # Oracle Linux Security Advisory ELSA-2013-1319 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(70347);
      script_version("1.5");
      script_cvs_date("Date: 2019/09/30 10:58:18");
    
      script_cve_id("CVE-2013-0219");
      script_bugtraq_id(57539);
      script_xref(name:"RHSA", value:"2013:1319");
    
      script_name(english:"Oracle Linux 5 : sssd (ELSA-2013-1319)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2013:1319 :
    
    Updated sssd packages that fix one security issue and several bugs are
    now available for Red Hat Enterprise Linux 5.
    
    The Red Hat Security Response Team has rated this update as having low
    security impact. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available from the
    CVE link in the References section.
    
    SSSD (System Security Services Daemon) provides a set of daemons to
    manage access to remote directories and authentication mechanisms. It
    provides NSS (Name Service Switch) and PAM (Pluggable Authentication
    Modules) interfaces toward the system and a pluggable back end system
    to connect to multiple different account sources.
    
    A race condition was found in the way SSSD copied and removed user
    home directories. A local attacker who is able to write into the home
    directory of a different user who is being removed could use this flaw
    to perform symbolic link attacks, possibly allowing them to modify and
    delete arbitrary files with the privileges of the root user.
    (CVE-2013-0219)
    
    The CVE-2013-0219 issue war discovered by Florian Weimer of the Red
    Hat Product Security Team.
    
    This update also fixes the following bugs :
    
    * After a paging control was used, memory in the sssd_be process was
    never freed which led to the growth of the sssd_be process memory
    usage over time. To fix this bug, the paging control was deallocated
    after use, and thus the memory usage of the sssd_be process no longer
    grows. (BZ#820908)
    
    * If the sssd_be process was terminated and recreated while there were
    authentication requests pending, the sssd_pam process did not recover
    correctly and did not reconnect to the new sssd_be process.
    Consequently, the sssd_pam process was seemingly blocked and did not
    accept any new authentication requests. The sssd_pam process has been
    fixes so that it reconnects to the new instance of the sssd_be process
    after the original one terminated unexpectedly. Even after a crash and
    reconnect, the sssd_pam process now accepts new authentication
    requests. (BZ#882414)
    
    * When the sssd_be process hung for a while, it was terminated and a
    new instance was created. If the old instance did not respond to the
    TERM signal and continued running, SSSD terminated unexpectedly. As a
    consequence, the user could not log in. SSSD now keeps track of
    sssd_be subprocesses more effectively, making the restarts of sssd_be
    more reliable in such scenarios. Users can now log in whenever the
    sssd_be is restarted and becomes unresponsive. (BZ#886165)
    
    * In case the processing of an LDAP request took longer than the
    client timeout upon completing the request (60 seconds by default),
    the PAM client could have accessed memory that was previously freed
    due to the client timeout being reached. As a result, the sssd_pam
    process terminated unexpectedly with a segmentation fault. SSSD now
    ignores an LDAP request result when it detects that the set timeout of
    this request has been reached. The sssd_pam process no longer crashes
    in the aforementioned scenario. (BZ#923813)
    
    * When there was a heavy load of users and groups to be saved in
    cache, SSSD experienced a timeout. Consequently, NSS did not start the
    backup process properly and it was impossible to log in. A patch has
    been provided to fix this bug. The SSSD daemon now remains responsive
    and the login continues as expected. (BZ#805729)
    
    * SSSD kept the file descriptors to the log files open. Consequently,
    on occasions like moving the actual log file and restarting the back
    end, SSSD still kept the file descriptors open. SSSD now closes the
    file descriptor after the child process execution; after a successful
    back end start, the file descriptor to log files is closed.
    (BZ#961680)
    
    * While performing access control in the Identity Management back end,
    SSSD erroneously downloaded the 'member' attribute from the server and
    then attempted to use it in the cache verbatim. Consequently, the
    cache attempted to use the 'member' attribute values as if they were
    pointing to the local cache which was CPU intensive. The member
    attribute when processing host groups is no longer downloaded and
    processed. Moreover, the login process is reasonably fast even with
    large host groups. (BZ#979047)
    
    All sssd users are advised to upgrade to these updated packages, which
    contain backported patches to correct these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2013-October/003713.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected sssd packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libipa_hbac");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libipa_hbac-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libipa_hbac-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:sssd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:sssd-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:sssd-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/02/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/10/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/09");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 5", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL5", reference:"libipa_hbac-1.5.1-70.el5")) flag++;
    if (rpm_check(release:"EL5", reference:"libipa_hbac-devel-1.5.1-70.el5")) flag++;
    if (rpm_check(release:"EL5", reference:"libipa_hbac-python-1.5.1-70.el5")) flag++;
    if (rpm_check(release:"EL5", reference:"sssd-1.5.1-70.el5")) flag++;
    if (rpm_check(release:"EL5", reference:"sssd-client-1.5.1-70.el5")) flag++;
    if (rpm_check(release:"EL5", reference:"sssd-tools-1.5.1-70.el5")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
      else security_note(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libipa_hbac / libipa_hbac-devel / libipa_hbac-python / sssd / etc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2013-0508.NASL
    descriptionUpdated sssd packages that fix two security issues, multiple bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable back-end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects such as FreeIPA. A race condition was found in the way SSSD copied and removed user home directories. A local attacker who is able to write into the home directory of a different user who is being removed could use this flaw to perform symbolic link attacks, possibly allowing them to modify and delete arbitrary files with the privileges of the root user. (CVE-2013-0219) Multiple out-of-bounds memory read flaws were found in the way the autofs and SSH service responders parsed certain SSSD packets. An attacker could spend a specially crafted packet that, when processed by the autofs or SSH service responders, would cause SSSD to crash. This issue only caused a temporary denial of service, as SSSD was automatically restarted by the monitor process after the crash. (CVE-2013-0220) The CVE-2013-0219 and CVE-2013-0220 issues were discovered by Florian Weimer of the Red Hat Product Security Team. These updated sssd packages also include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes. All SSSD users are advised to upgrade to these updated packages, which upgrade SSSD to upstream version 1.9 to correct these issues, fix these bugs and add these enhancements.
    last seen2020-06-01
    modified2020-06-02
    plugin id64758
    published2013-02-21
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/64758
    titleRHEL 6 : sssd (RHSA-2013:0508)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2013:0508. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(64758);
      script_version("1.18");
      script_cvs_date("Date: 2019/10/24 15:35:36");
    
      script_cve_id("CVE-2013-0219", "CVE-2013-0220");
      script_bugtraq_id(57539);
      script_xref(name:"RHSA", value:"2013:0508");
    
      script_name(english:"RHEL 6 : sssd (RHSA-2013:0508)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated sssd packages that fix two security issues, multiple bugs, and
    add various enhancements are now available for Red Hat Enterprise
    Linux 6.
    
    The Red Hat Security Response Team has rated this update as having low
    security impact. Common Vulnerability Scoring System (CVSS) base
    scores, which give detailed severity ratings, are available for each
    vulnerability from the CVE links in the References section.
    
    The System Security Services Daemon (SSSD) provides a set of daemons
    to manage access to remote directories and authentication mechanisms.
    It provides an NSS and PAM interface toward the system and a pluggable
    back-end system to connect to multiple different account sources. It
    is also the basis to provide client auditing and policy services for
    projects such as FreeIPA.
    
    A race condition was found in the way SSSD copied and removed user
    home directories. A local attacker who is able to write into the home
    directory of a different user who is being removed could use this flaw
    to perform symbolic link attacks, possibly allowing them to modify and
    delete arbitrary files with the privileges of the root user.
    (CVE-2013-0219)
    
    Multiple out-of-bounds memory read flaws were found in the way the
    autofs and SSH service responders parsed certain SSSD packets. An
    attacker could spend a specially crafted packet that, when processed
    by the autofs or SSH service responders, would cause SSSD to crash.
    This issue only caused a temporary denial of service, as SSSD was
    automatically restarted by the monitor process after the crash.
    (CVE-2013-0220)
    
    The CVE-2013-0219 and CVE-2013-0220 issues were discovered by Florian
    Weimer of the Red Hat Product Security Team.
    
    These updated sssd packages also include numerous bug fixes and
    enhancements. Space precludes documenting all of these changes in this
    advisory. Users are directed to the Red Hat Enterprise Linux 6.4
    Technical Notes, linked to in the References, for information on the
    most significant of these changes.
    
    All SSSD users are advised to upgrade to these updated packages, which
    upgrade SSSD to upstream version 1.9 to correct these issues, fix
    these bugs and add these enhancements."
      );
      # https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b5caa05f"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2013:0508"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2013-0219"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2013-0220"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libipa_hbac");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libipa_hbac-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libipa_hbac-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libsss_autofs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libsss_idmap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libsss_idmap-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libsss_sudo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libsss_sudo-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sssd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sssd-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sssd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sssd-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/02/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/02/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/21");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2013:0508";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL6", reference:"libipa_hbac-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"libipa_hbac-devel-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"libipa_hbac-python-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"libipa_hbac-python-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"libipa_hbac-python-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"libsss_autofs-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"libsss_autofs-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"libsss_autofs-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"libsss_idmap-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"libsss_idmap-devel-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"libsss_sudo-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"libsss_sudo-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"libsss_sudo-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"libsss_sudo-devel-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"sssd-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"sssd-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"sssd-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"sssd-client-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"sssd-debuginfo-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"sssd-tools-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"sssd-tools-1.9.2-82.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"sssd-tools-1.9.2-82.el6")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libipa_hbac / libipa_hbac-devel / libipa_hbac-python / etc");
      }
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2013-0508.NASL
    descriptionFrom Red Hat Security Advisory 2013:0508 : Updated sssd packages that fix two security issues, multiple bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable back-end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects such as FreeIPA. A race condition was found in the way SSSD copied and removed user home directories. A local attacker who is able to write into the home directory of a different user who is being removed could use this flaw to perform symbolic link attacks, possibly allowing them to modify and delete arbitrary files with the privileges of the root user. (CVE-2013-0219) Multiple out-of-bounds memory read flaws were found in the way the autofs and SSH service responders parsed certain SSSD packets. An attacker could spend a specially crafted packet that, when processed by the autofs or SSH service responders, would cause SSSD to crash. This issue only caused a temporary denial of service, as SSSD was automatically restarted by the monitor process after the crash. (CVE-2013-0220) The CVE-2013-0219 and CVE-2013-0220 issues were discovered by Florian Weimer of the Red Hat Product Security Team. These updated sssd packages also include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes. All SSSD users are advised to upgrade to these updated packages, which upgrade SSSD to upstream version 1.9 to correct these issues, fix these bugs and add these enhancements.
    last seen2020-06-01
    modified2020-06-02
    plugin id68747
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68747
    titleOracle Linux 6 : sssd (ELSA-2013-0508)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2013:0508 and 
    # Oracle Linux Security Advisory ELSA-2013-0508 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(68747);
      script_version("1.7");
      script_cvs_date("Date: 2019/09/30 10:58:18");
    
      script_cve_id("CVE-2013-0219", "CVE-2013-0220");
      script_bugtraq_id(57539);
      script_xref(name:"RHSA", value:"2013:0508");
    
      script_name(english:"Oracle Linux 6 : sssd (ELSA-2013-0508)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2013:0508 :
    
    Updated sssd packages that fix two security issues, multiple bugs, and
    add various enhancements are now available for Red Hat Enterprise
    Linux 6.
    
    The Red Hat Security Response Team has rated this update as having low
    security impact. Common Vulnerability Scoring System (CVSS) base
    scores, which give detailed severity ratings, are available for each
    vulnerability from the CVE links in the References section.
    
    The System Security Services Daemon (SSSD) provides a set of daemons
    to manage access to remote directories and authentication mechanisms.
    It provides an NSS and PAM interface toward the system and a pluggable
    back-end system to connect to multiple different account sources. It
    is also the basis to provide client auditing and policy services for
    projects such as FreeIPA.
    
    A race condition was found in the way SSSD copied and removed user
    home directories. A local attacker who is able to write into the home
    directory of a different user who is being removed could use this flaw
    to perform symbolic link attacks, possibly allowing them to modify and
    delete arbitrary files with the privileges of the root user.
    (CVE-2013-0219)
    
    Multiple out-of-bounds memory read flaws were found in the way the
    autofs and SSH service responders parsed certain SSSD packets. An
    attacker could spend a specially crafted packet that, when processed
    by the autofs or SSH service responders, would cause SSSD to crash.
    This issue only caused a temporary denial of service, as SSSD was
    automatically restarted by the monitor process after the crash.
    (CVE-2013-0220)
    
    The CVE-2013-0219 and CVE-2013-0220 issues were discovered by Florian
    Weimer of the Red Hat Product Security Team.
    
    These updated sssd packages also include numerous bug fixes and
    enhancements. Space precludes documenting all of these changes in this
    advisory. Users are directed to the Red Hat Enterprise Linux 6.4
    Technical Notes, linked to in the References, for information on the
    most significant of these changes.
    
    All SSSD users are advised to upgrade to these updated packages, which
    upgrade SSSD to upstream version 1.9 to correct these issues, fix
    these bugs and add these enhancements."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2013-February/003295.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected sssd packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libipa_hbac");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libipa_hbac-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libipa_hbac-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libsss_autofs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libsss_idmap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libsss_idmap-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libsss_sudo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libsss_sudo-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:sssd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:sssd-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:sssd-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/02/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/02/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL6", reference:"libipa_hbac-1.9.2-82.el6")) flag++;
    if (rpm_check(release:"EL6", reference:"libipa_hbac-devel-1.9.2-82.el6")) flag++;
    if (rpm_check(release:"EL6", reference:"libipa_hbac-python-1.9.2-82.el6")) flag++;
    if (rpm_check(release:"EL6", reference:"libsss_autofs-1.9.2-82.el6")) flag++;
    if (rpm_check(release:"EL6", reference:"libsss_idmap-1.9.2-82.el6")) flag++;
    if (rpm_check(release:"EL6", reference:"libsss_idmap-devel-1.9.2-82.el6")) flag++;
    if (rpm_check(release:"EL6", reference:"libsss_sudo-1.9.2-82.el6")) flag++;
    if (rpm_check(release:"EL6", reference:"libsss_sudo-devel-1.9.2-82.el6")) flag++;
    if (rpm_check(release:"EL6", reference:"sssd-1.9.2-82.el6")) flag++;
    if (rpm_check(release:"EL6", reference:"sssd-client-1.9.2-82.el6")) flag++;
    if (rpm_check(release:"EL6", reference:"sssd-tools-1.9.2-82.el6")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libipa_hbac / libipa_hbac-devel / libipa_hbac-python / etc");
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20130930_SSSD_ON_SL5_X.NASL
    descriptionA race condition was found in the way SSSD copied and removed user home directories. A local attacker who is able to write into the home directory of a different user who is being removed could use this flaw to perform symbolic link attacks, possibly allowing them to modify and delete arbitrary files with the privileges of the root user. (CVE-2013-0219) This update also fixes the following bugs : - After a paging control was used, memory in the sssd_be process was never freed which led to the growth of the sssd_be process memory usage over time. To fix this bug, the paging control was deallocated after use, and thus the memory usage of the sssd_be process no longer grows. - If the sssd_be process was terminated and recreated while there were authentication requests pending, the sssd_pam process did not recover correctly and did not reconnect to the new sssd_be process. Consequently, the sssd_pam process was seemingly blocked and did not accept any new authentication requests. The sssd_pam process has been fixes so that it reconnects to the new instance of the sssd_be process after the original one terminated unexpectedly. Even after a crash and reconnect, the sssd_pam process now accepts new authentication requests. - When the sssd_be process hung for a while, it was terminated and a new instance was created. If the old instance did not respond to the TERM signal and continued running, SSSD terminated unexpectedly. As a consequence, the user could not log in. SSSD now keeps track of sssd_be subprocesses more effectively, making the restarts of sssd_be more reliable in such scenarios. Users can now log in whenever the sssd_be is restarted and becomes unresponsive. - In case the processing of an LDAP request took longer than the client timeout upon completing the request (60 seconds by default), the PAM client could have accessed memory that was previously freed due to the client timeout being reached. As a result, the sssd_pam process terminated unexpectedly with a segmentation fault. SSSD now ignores an LDAP request result when it detects that the set timeout of this request has been reached. The sssd_pam process no longer crashes in the aforementioned scenario. - When there was a heavy load of users and groups to be saved in cache, SSSD experienced a timeout. Consequently, NSS did not start the backup process properly and it was impossible to log in. A patch has been provided to fix this bug. The SSSD daemon now remains responsive and the login continues as expected. - SSSD kept the file descriptors to the log files open. Consequently, on occasions like moving the actual log file and restarting the back end, SSSD still kept the file descriptors open. SSSD now closes the file descriptor after the child process execution; after a successful back end start, the file descriptor to log files is closed. - While performing access control in the Identity Management back end, SSSD erroneously downloaded the
    last seen2020-03-18
    modified2013-10-11
    plugin id70391
    published2013-10-11
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/70391
    titleScientific Linux Security Update : sssd on SL5.x i386/x86_64 (20130930)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(70391);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2013-0219");
    
      script_name(english:"Scientific Linux Security Update : sssd on SL5.x i386/x86_64 (20130930)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A race condition was found in the way SSSD copied and removed user
    home directories. A local attacker who is able to write into the home
    directory of a different user who is being removed could use this flaw
    to perform symbolic link attacks, possibly allowing them to modify and
    delete arbitrary files with the privileges of the root user.
    (CVE-2013-0219)
    
    This update also fixes the following bugs :
    
      - After a paging control was used, memory in the sssd_be
        process was never freed which led to the growth of the
        sssd_be process memory usage over time. To fix this bug,
        the paging control was deallocated after use, and thus
        the memory usage of the sssd_be process no longer grows.
    
      - If the sssd_be process was terminated and recreated
        while there were authentication requests pending, the
        sssd_pam process did not recover correctly and did not
        reconnect to the new sssd_be process. Consequently, the
        sssd_pam process was seemingly blocked and did not
        accept any new authentication requests. The sssd_pam
        process has been fixes so that it reconnects to the new
        instance of the sssd_be process after the original one
        terminated unexpectedly. Even after a crash and
        reconnect, the sssd_pam process now accepts new
        authentication requests.
    
      - When the sssd_be process hung for a while, it was
        terminated and a new instance was created. If the old
        instance did not respond to the TERM signal and
        continued running, SSSD terminated unexpectedly. As a
        consequence, the user could not log in. SSSD now keeps
        track of sssd_be subprocesses more effectively, making
        the restarts of sssd_be more reliable in such scenarios.
        Users can now log in whenever the sssd_be is restarted
        and becomes unresponsive.
    
      - In case the processing of an LDAP request took longer
        than the client timeout upon completing the request (60
        seconds by default), the PAM client could have accessed
        memory that was previously freed due to the client
        timeout being reached. As a result, the sssd_pam process
        terminated unexpectedly with a segmentation fault. SSSD
        now ignores an LDAP request result when it detects that
        the set timeout of this request has been reached. The
        sssd_pam process no longer crashes in the aforementioned
        scenario.
    
      - When there was a heavy load of users and groups to be
        saved in cache, SSSD experienced a timeout.
        Consequently, NSS did not start the backup process
        properly and it was impossible to log in. A patch has
        been provided to fix this bug. The SSSD daemon now
        remains responsive and the login continues as expected.
    
      - SSSD kept the file descriptors to the log files open.
        Consequently, on occasions like moving the actual log
        file and restarting the back end, SSSD still kept the
        file descriptors open. SSSD now closes the file
        descriptor after the child process execution; after a
        successful back end start, the file descriptor to log
        files is closed.
    
      - While performing access control in the Identity
        Management back end, SSSD erroneously downloaded the
        'member' attribute from the server and then attempted to
        use it in the cache verbatim. Consequently, the cache
        attempted to use the 'member' attribute values as if
        they were pointing to the local cache which was CPU
        intensive. The member attribute when processing host
        groups is no longer downloaded and processed. Moreover,
        the login process is reasonably fast even with large
        host groups."
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1310&L=scientific-linux-errata&T=0&P=1052
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b9a54a74"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libipa_hbac");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libipa_hbac-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:libipa_hbac-python");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:sssd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:sssd-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:sssd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:sssd-tools");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/02/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/09/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/10/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 5.x", "Scientific Linux " + os_ver);
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL5", reference:"libipa_hbac-1.5.1-70.el5")) flag++;
    if (rpm_check(release:"SL5", reference:"libipa_hbac-devel-1.5.1-70.el5")) flag++;
    if (rpm_check(release:"SL5", reference:"libipa_hbac-python-1.5.1-70.el5")) flag++;
    if (rpm_check(release:"SL5", reference:"sssd-1.5.1-70.el5")) flag++;
    if (rpm_check(release:"SL5", reference:"sssd-client-1.5.1-70.el5")) flag++;
    if (rpm_check(release:"SL5", reference:"sssd-debuginfo-1.5.1-70.el5")) flag++;
    if (rpm_check(release:"SL5", reference:"sssd-tools-1.5.1-70.el5")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_NOTE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libipa_hbac / libipa_hbac-devel / libipa_hbac-python / sssd / etc");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2013-1319.NASL
    descriptionUpdated sssd packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. SSSD (System Security Services Daemon) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides NSS (Name Service Switch) and PAM (Pluggable Authentication Modules) interfaces toward the system and a pluggable back end system to connect to multiple different account sources. A race condition was found in the way SSSD copied and removed user home directories. A local attacker who is able to write into the home directory of a different user who is being removed could use this flaw to perform symbolic link attacks, possibly allowing them to modify and delete arbitrary files with the privileges of the root user. (CVE-2013-0219) The CVE-2013-0219 issue war discovered by Florian Weimer of the Red Hat Product Security Team. This update also fixes the following bugs : * After a paging control was used, memory in the sssd_be process was never freed which led to the growth of the sssd_be process memory usage over time. To fix this bug, the paging control was deallocated after use, and thus the memory usage of the sssd_be process no longer grows. (BZ#820908) * If the sssd_be process was terminated and recreated while there were authentication requests pending, the sssd_pam process did not recover correctly and did not reconnect to the new sssd_be process. Consequently, the sssd_pam process was seemingly blocked and did not accept any new authentication requests. The sssd_pam process has been fixes so that it reconnects to the new instance of the sssd_be process after the original one terminated unexpectedly. Even after a crash and reconnect, the sssd_pam process now accepts new authentication requests. (BZ#882414) * When the sssd_be process hung for a while, it was terminated and a new instance was created. If the old instance did not respond to the TERM signal and continued running, SSSD terminated unexpectedly. As a consequence, the user could not log in. SSSD now keeps track of sssd_be subprocesses more effectively, making the restarts of sssd_be more reliable in such scenarios. Users can now log in whenever the sssd_be is restarted and becomes unresponsive. (BZ#886165) * In case the processing of an LDAP request took longer than the client timeout upon completing the request (60 seconds by default), the PAM client could have accessed memory that was previously freed due to the client timeout being reached. As a result, the sssd_pam process terminated unexpectedly with a segmentation fault. SSSD now ignores an LDAP request result when it detects that the set timeout of this request has been reached. The sssd_pam process no longer crashes in the aforementioned scenario. (BZ#923813) * When there was a heavy load of users and groups to be saved in cache, SSSD experienced a timeout. Consequently, NSS did not start the backup process properly and it was impossible to log in. A patch has been provided to fix this bug. The SSSD daemon now remains responsive and the login continues as expected. (BZ#805729) * SSSD kept the file descriptors to the log files open. Consequently, on occasions like moving the actual log file and restarting the back end, SSSD still kept the file descriptors open. SSSD now closes the file descriptor after the child process execution; after a successful back end start, the file descriptor to log files is closed. (BZ#961680) * While performing access control in the Identity Management back end, SSSD erroneously downloaded the
    last seen2020-06-01
    modified2020-06-02
    plugin id79151
    published2014-11-12
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79151
    titleCentOS 5 : sssd (CESA-2013:1319)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20130221_SSSD_ON_SL6_X.NASL
    descriptionA race condition was found in the way SSSD copied and removed user home directories. A local attacker who is able to write into the home directory of a different user who is being removed could use this flaw to perform symbolic link attacks, possibly allowing them to modify and delete arbitrary files with the privileges of the root user. (CVE-2013-0219) Multiple out-of-bounds memory read flaws were found in the way the autofs and SSH service responders parsed certain SSSD packets. An attacker could spend a specially crafted packet that, when processed by the autofs or SSH service responders, would cause SSSD to crash. This issue only caused a temporary denial of service, as SSSD was automatically restarted by the monitor process after the crash. (CVE-2013-0220)
    last seen2020-03-18
    modified2013-03-05
    plugin id65016
    published2013-03-05
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/65016
    titleScientific Linux Security Update : sssd on SL6.x i386/x86_64 (20130221)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2013-0508.NASL
    descriptionUpdated sssd packages that fix two security issues, multiple bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The System Security Services Daemon (SSSD) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward the system and a pluggable back-end system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects such as FreeIPA. A race condition was found in the way SSSD copied and removed user home directories. A local attacker who is able to write into the home directory of a different user who is being removed could use this flaw to perform symbolic link attacks, possibly allowing them to modify and delete arbitrary files with the privileges of the root user. (CVE-2013-0219) Multiple out-of-bounds memory read flaws were found in the way the autofs and SSH service responders parsed certain SSSD packets. An attacker could spend a specially crafted packet that, when processed by the autofs or SSH service responders, would cause SSSD to crash. This issue only caused a temporary denial of service, as SSSD was automatically restarted by the monitor process after the crash. (CVE-2013-0220) The CVE-2013-0219 and CVE-2013-0220 issues were discovered by Florian Weimer of the Red Hat Product Security Team. These updated sssd packages also include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.4 Technical Notes, linked to in the References, for information on the most significant of these changes. All SSSD users are advised to upgrade to these updated packages, which upgrade SSSD to upstream version 1.9 to correct these issues, fix these bugs and add these enhancements.
    last seen2020-06-01
    modified2020-06-02
    plugin id65142
    published2013-03-10
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/65142
    titleCentOS 6 : sssd (CESA-2013:0508)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-1826.NASL
    descriptionA rebase to the latest LTM upstream relase that fixes CVE-2013-0220 and CVE-2013-0219 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-02-13
    plugin id64602
    published2013-02-13
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64602
    titleFedora 17 : sssd-1.8.6-1.fc17 (2013-1826)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-1795.NASL
    descriptionA rebase to the latest LTM upstream relase that fixes CVE-2013-0220 and CVE-2013-0219. Also fixes recreating the Kerberos cache when any part of the ccache directory is gone. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-02-11
    plugin id64545
    published2013-02-11
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64545
    titleFedora 18 : sssd-1.9.4-2.fc18 (2013-1795)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2013-1319.NASL
    descriptionUpdated sssd packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. SSSD (System Security Services Daemon) provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides NSS (Name Service Switch) and PAM (Pluggable Authentication Modules) interfaces toward the system and a pluggable back end system to connect to multiple different account sources. A race condition was found in the way SSSD copied and removed user home directories. A local attacker who is able to write into the home directory of a different user who is being removed could use this flaw to perform symbolic link attacks, possibly allowing them to modify and delete arbitrary files with the privileges of the root user. (CVE-2013-0219) The CVE-2013-0219 issue war discovered by Florian Weimer of the Red Hat Product Security Team. This update also fixes the following bugs : * After a paging control was used, memory in the sssd_be process was never freed which led to the growth of the sssd_be process memory usage over time. To fix this bug, the paging control was deallocated after use, and thus the memory usage of the sssd_be process no longer grows. (BZ#820908) * If the sssd_be process was terminated and recreated while there were authentication requests pending, the sssd_pam process did not recover correctly and did not reconnect to the new sssd_be process. Consequently, the sssd_pam process was seemingly blocked and did not accept any new authentication requests. The sssd_pam process has been fixes so that it reconnects to the new instance of the sssd_be process after the original one terminated unexpectedly. Even after a crash and reconnect, the sssd_pam process now accepts new authentication requests. (BZ#882414) * When the sssd_be process hung for a while, it was terminated and a new instance was created. If the old instance did not respond to the TERM signal and continued running, SSSD terminated unexpectedly. As a consequence, the user could not log in. SSSD now keeps track of sssd_be subprocesses more effectively, making the restarts of sssd_be more reliable in such scenarios. Users can now log in whenever the sssd_be is restarted and becomes unresponsive. (BZ#886165) * In case the processing of an LDAP request took longer than the client timeout upon completing the request (60 seconds by default), the PAM client could have accessed memory that was previously freed due to the client timeout being reached. As a result, the sssd_pam process terminated unexpectedly with a segmentation fault. SSSD now ignores an LDAP request result when it detects that the set timeout of this request has been reached. The sssd_pam process no longer crashes in the aforementioned scenario. (BZ#923813) * When there was a heavy load of users and groups to be saved in cache, SSSD experienced a timeout. Consequently, NSS did not start the backup process properly and it was impossible to log in. A patch has been provided to fix this bug. The SSSD daemon now remains responsive and the login continues as expected. (BZ#805729) * SSSD kept the file descriptors to the log files open. Consequently, on occasions like moving the actual log file and restarting the back end, SSSD still kept the file descriptors open. SSSD now closes the file descriptor after the child process execution; after a successful back end start, the file descriptor to log files is closed. (BZ#961680) * While performing access control in the Identity Management back end, SSSD erroneously downloaded the
    last seen2020-04-16
    modified2013-10-01
    plugin id70246
    published2013-10-01
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/70246
    titleRHEL 5 : sssd (RHSA-2013:1319)

Redhat

advisories
  • bugzilla
    id979047
    titlesssd_be goes to 99% CPU and causes significant login delays when client is under load
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 5 is installed
        ovaloval:com.redhat.rhba:tst:20070331005
      • OR
        • AND
          • commentsssd is earlier than 0:1.5.1-70.el5
            ovaloval:com.redhat.rhsa:tst:20131319001
          • commentsssd is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20110975004
        • AND
          • commentlibipa_hbac-devel is earlier than 0:1.5.1-70.el5
            ovaloval:com.redhat.rhsa:tst:20131319003
          • commentlibipa_hbac-devel is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20131319004
        • AND
          • commentsssd-client is earlier than 0:1.5.1-70.el5
            ovaloval:com.redhat.rhsa:tst:20131319005
          • commentsssd-client is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20110975006
        • AND
          • commentlibipa_hbac-python is earlier than 0:1.5.1-70.el5
            ovaloval:com.redhat.rhsa:tst:20131319007
          • commentlibipa_hbac-python is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20131319008
        • AND
          • commentlibipa_hbac is earlier than 0:1.5.1-70.el5
            ovaloval:com.redhat.rhsa:tst:20131319009
          • commentlibipa_hbac is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20131319010
        • AND
          • commentsssd-tools is earlier than 0:1.5.1-70.el5
            ovaloval:com.redhat.rhsa:tst:20131319011
          • commentsssd-tools is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20110975002
    rhsa
    idRHSA-2013:1319
    released2013-09-30
    severityLow
    titleRHSA-2013:1319: sssd security and bug fix update (Low)
  • rhsa
    idRHSA-2013:0508
rpms
  • libipa_hbac-0:1.9.2-82.el6
  • libipa_hbac-devel-0:1.9.2-82.el6
  • libipa_hbac-python-0:1.9.2-82.el6
  • libsss_autofs-0:1.9.2-82.el6
  • libsss_idmap-0:1.9.2-82.el6
  • libsss_idmap-devel-0:1.9.2-82.el6
  • libsss_sudo-0:1.9.2-82.el6
  • libsss_sudo-devel-0:1.9.2-82.el6
  • sssd-0:1.9.2-82.el6
  • sssd-client-0:1.9.2-82.el6
  • sssd-debuginfo-0:1.9.2-82.el6
  • sssd-tools-0:1.9.2-82.el6
  • libipa_hbac-0:1.5.1-70.el5
  • libipa_hbac-devel-0:1.5.1-70.el5
  • libipa_hbac-python-0:1.5.1-70.el5
  • sssd-0:1.5.1-70.el5
  • sssd-client-0:1.5.1-70.el5
  • sssd-debuginfo-0:1.5.1-70.el5
  • sssd-tools-0:1.5.1-70.el5