Low: sssd

2019-01-2218:00:00

alas.aws.amazon.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

72.7%

JSON

Issue Overview:

The UNIX pipe which sudo uses to contact SSSD and read the available sudo rules from SSSD utilizes too broad of a set of permissions. Any user who can send a message using the same raw protocol that sudo and SSSD use can read the sudo rules available for any user. (CVE-2018-10852)

Affected Packages:

sssd

Issue Correction:
Run yum update sssd to update your system.

New Packages:

i686:  
    python27-libipa_hbac-1.16.2-13.amzn1.i686  
    libsss_sudo-1.16.2-13.amzn1.i686  
    sssd-client-1.16.2-13.amzn1.i686  
    sssd-1.16.2-13.amzn1.i686  
    sssd-winbind-idmap-1.16.2-13.amzn1.i686  
    sssd-dbus-1.16.2-13.amzn1.i686  
    libipa_hbac-1.16.2-13.amzn1.i686  
    sssd-krb5-1.16.2-13.amzn1.i686  
    sssd-tools-1.16.2-13.amzn1.i686  
    sssd-common-1.16.2-13.amzn1.i686  
    sssd-proxy-1.16.2-13.amzn1.i686  
    libsss_idmap-devel-1.16.2-13.amzn1.i686  
    libsss_nss_idmap-1.16.2-13.amzn1.i686  
    python27-libsss_nss_idmap-1.16.2-13.amzn1.i686  
    sssd-krb5-common-1.16.2-13.amzn1.i686  
    python27-sss-murmur-1.16.2-13.amzn1.i686  
    libsss_autofs-1.16.2-13.amzn1.i686  
    libsss_certmap-devel-1.16.2-13.amzn1.i686  
    sssd-ipa-1.16.2-13.amzn1.i686  
    sssd-libwbclient-1.16.2-13.amzn1.i686  
    libsss_certmap-1.16.2-13.amzn1.i686  
    python27-sss-1.16.2-13.amzn1.i686  
    sssd-ad-1.16.2-13.amzn1.i686  
    sssd-libwbclient-devel-1.16.2-13.amzn1.i686  
    libsss_simpleifp-devel-1.16.2-13.amzn1.i686  
    libsss_simpleifp-1.16.2-13.amzn1.i686  
    libsss_nss_idmap-devel-1.16.2-13.amzn1.i686  
    libsss_idmap-1.16.2-13.amzn1.i686  
    libipa_hbac-devel-1.16.2-13.amzn1.i686  
    sssd-common-pac-1.16.2-13.amzn1.i686  
    sssd-ldap-1.16.2-13.amzn1.i686  
    sssd-debuginfo-1.16.2-13.amzn1.i686  
  
noarch:  
    python27-sssdconfig-1.16.2-13.amzn1.noarch  
  
src:  
    sssd-1.16.2-13.amzn1.src  
  
x86_64:  
    sssd-1.16.2-13.amzn1.x86_64  
    libsss_certmap-1.16.2-13.amzn1.x86_64  
    sssd-proxy-1.16.2-13.amzn1.x86_64  
    sssd-ad-1.16.2-13.amzn1.x86_64  
    libsss_simpleifp-devel-1.16.2-13.amzn1.x86_64  
    sssd-libwbclient-1.16.2-13.amzn1.x86_64  
    python27-sss-1.16.2-13.amzn1.x86_64  
    python27-sss-murmur-1.16.2-13.amzn1.x86_64  
    libsss_simpleifp-1.16.2-13.amzn1.x86_64  
    sssd-client-1.16.2-13.amzn1.x86_64  
    libsss_autofs-1.16.2-13.amzn1.x86_64  
    sssd-krb5-common-1.16.2-13.amzn1.x86_64  
    sssd-ipa-1.16.2-13.amzn1.x86_64  
    sssd-debuginfo-1.16.2-13.amzn1.x86_64  
    sssd-libwbclient-devel-1.16.2-13.amzn1.x86_64  
    sssd-common-1.16.2-13.amzn1.x86_64  
    sssd-ldap-1.16.2-13.amzn1.x86_64  
    sssd-krb5-1.16.2-13.amzn1.x86_64  
    libsss_idmap-1.16.2-13.amzn1.x86_64  
    libsss_certmap-devel-1.16.2-13.amzn1.x86_64  
    sssd-common-pac-1.16.2-13.amzn1.x86_64  
    libsss_idmap-devel-1.16.2-13.amzn1.x86_64  
    python27-libipa_hbac-1.16.2-13.amzn1.x86_64  
    libipa_hbac-devel-1.16.2-13.amzn1.x86_64  
    libsss_sudo-1.16.2-13.amzn1.x86_64  
    sssd-dbus-1.16.2-13.amzn1.x86_64  
    python27-libsss_nss_idmap-1.16.2-13.amzn1.x86_64  
    libsss_nss_idmap-1.16.2-13.amzn1.x86_64  
    sssd-tools-1.16.2-13.amzn1.x86_64  
    libipa_hbac-1.16.2-13.amzn1.x86_64  
    libsss_nss_idmap-devel-1.16.2-13.amzn1.x86_64  
    sssd-winbind-idmap-1.16.2-13.amzn1.x86_64

Additional References

Red Hat: CVE-2018-10852

Mitre: CVE-2018-10852

OSVersionArchitecturePackageVersionFilename
Amazon Linux1i686python27-libipa_hbac< 1.16.2-13.amzn1python27-libipa_hbac-1.16.2-13.amzn1.i686.rpm
Amazon Linux1i686libsss_sudo< 1.16.2-13.amzn1libsss_sudo-1.16.2-13.amzn1.i686.rpm
Amazon Linux1i686sssd-client< 1.16.2-13.amzn1sssd-client-1.16.2-13.amzn1.i686.rpm
Amazon Linux1i686sssd< 1.16.2-13.amzn1sssd-1.16.2-13.amzn1.i686.rpm
Amazon Linux1i686sssd-winbind-idmap< 1.16.2-13.amzn1sssd-winbind-idmap-1.16.2-13.amzn1.i686.rpm
Amazon Linux1i686sssd-dbus< 1.16.2-13.amzn1sssd-dbus-1.16.2-13.amzn1.i686.rpm
Amazon Linux1i686libipa_hbac< 1.16.2-13.amzn1libipa_hbac-1.16.2-13.amzn1.i686.rpm
Amazon Linux1i686sssd-krb5< 1.16.2-13.amzn1sssd-krb5-1.16.2-13.amzn1.i686.rpm
Amazon Linux1i686sssd-tools< 1.16.2-13.amzn1sssd-tools-1.16.2-13.amzn1.i686.rpm
Amazon Linux1i686sssd-common< 1.16.2-13.amzn1sssd-common-1.16.2-13.amzn1.i686.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	1	i686	python27-libipa_hbac	< 1.16.2-13.amzn1	python27-libipa_hbac-1.16.2-13.amzn1.i686.rpm
Amazon Linux	1	i686	libsss_sudo	< 1.16.2-13.amzn1	libsss_sudo-1.16.2-13.amzn1.i686.rpm
Amazon Linux	1	i686	sssd-client	< 1.16.2-13.amzn1	sssd-client-1.16.2-13.amzn1.i686.rpm
Amazon Linux	1	i686	sssd	< 1.16.2-13.amzn1	sssd-1.16.2-13.amzn1.i686.rpm
Amazon Linux	1	i686	sssd-winbind-idmap	< 1.16.2-13.amzn1	sssd-winbind-idmap-1.16.2-13.amzn1.i686.rpm
Amazon Linux	1	i686	sssd-dbus	< 1.16.2-13.amzn1	sssd-dbus-1.16.2-13.amzn1.i686.rpm
Amazon Linux	1	i686	libipa_hbac	< 1.16.2-13.amzn1	libipa_hbac-1.16.2-13.amzn1.i686.rpm
Amazon Linux	1	i686	sssd-krb5	< 1.16.2-13.amzn1	sssd-krb5-1.16.2-13.amzn1.i686.rpm
Amazon Linux	1	i686	sssd-tools	< 1.16.2-13.amzn1	sssd-tools-1.16.2-13.amzn1.i686.rpm
Amazon Linux	1	i686	sssd-common	< 1.16.2-13.amzn1	sssd-common-1.16.2-13.amzn1.i686.rpm