[Sec-cert] [Fedora] Schwachstelle im System Security Services Daemon vor Version 1.0.1 - FEDORA-2010-0451

WiN Site Security Contacts win-sec-ssc at lists.dfn-cert.de
Mi Jan 13 16:57:29 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.


Der System Security Services Daemon (SSSD) ermoeglicht eine zentrale
Konfiguration der Authentifikationsmechanismen z.B. PAM, NSS, usw., auf
den verwalteten Client-Systemen.


CVE-2010-0014 - Fehler in der SSSD Verifikation von Passworten gegen
gecachete Login Credentials

  Der System Security Services Daemon (SSSD) verifiziert lokal
  eingegebene Passworte (z.B. vom Screensaver) nicht korrekt gegen die
  gecachten Login Credentials, was dazu fuehrt das sich lokale Angreifer mit
  einem beliebigen Passwort anmelden koennen, solange der SSSD im Offline
  Zustand ist und sich ein gueltiges Login Credentical im Cache des SSSD
  befindet (z.B. ein gueltiges Kerberos TGT).

Betroffen sind die folgenden Software Pakete und Plattformen:

  Paket sssd

  Fedora 11
  Fedora 12

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033822.html
  http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033873.html


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
	Torsten Voss

- --
 
Dipl.-Ing.(FH) Torsten Voss (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.:  DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

17. DFN Workshop    "Sicherheit in vernetzten Systemen"    09./10.02.2010
Informationen unter https://www.dfn-cert.de/veranstaltungen/workshop.html

- --------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-0451
2010-01-12 20:07:22
- --------------------------------------------------------------------------------

Name        : sssd
Product     : Fedora 11
Version     : 1.0.1
Release     : 1.fc11
URL         : http://fedorahosted.org/sssd
Summary     : System Security Services Daemon
Description :
Provides a set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward
the system and a pluggable backend system to connect to multiple different
account sources. It is also the basis to provide client auditing and policy
services for projects like FreeIPA.

- --------------------------------------------------------------------------------
Update Information:

Fixes CVE-2010-0014 - SSSD accepts any password when offline with a valid TGT
available
- --------------------------------------------------------------------------------
ChangeLog:

* Mon Jan 11 2010 Stephen Gallagher <sgallagh at redhat.com> - 1.0.1-1
- - Fix CVE-2010-0014
* Mon Dec 21 2009 Stephen Gallagher <sgallagh at redhat.com> - 1.0.0-2
- - Patch SSSDConfig API to address
- - https://bugzilla.redhat.com/show_bug.cgi?id=549482
* Fri Dec 18 2009 Stephen Gallagher <sgallagh at redhat.com> - 1.0.0-1
- - New upstream stable release 1.0.0
* Fri Dec 11 2009 Stephen Gallagher <sgallagh at redhat.com> - 0.99.1-1
- - New upstream bugfix release 0.99.1
* Mon Nov 30 2009 Stephen Gallagher <sgallagh at redhat.com> - 0.99.0-1
- - New upstream release 0.99.0
* Tue Oct 27 2009 Stephen Gallagher <sgallagh at redhat.com> - 0.7.1-1
- - Fix segfault in sssd_pam when cache_credentials was enabled
- - Update the sample configuration
- - Fix upgrade issues caused by data provider service removal
* Mon Oct 26 2009 Stephen Gallagher <sgallagh at redhat.com> - 0.7.0-2
- - Fix upgrade issues from old (pre-0.5.0) releases of SSSD
* Fri Oct 23 2009 Stephen Gallagher <sgallagh at redhat.com> - 0.7.0-1
- - New upstream release 0.7.0
* Thu Oct 15 2009 Stephen Gallagher <sgallagh at redhat.com> - 0.6.1-2
- - Fix missing file permissions for sssd-clients
* Tue Oct 13 2009 Stephen Gallagher <sgallagh at redhat.com> - 0.6.1-1
- - Add SSSDConfig API
- - Update polish translation for 0.6.0
- - Fix long timeout on ldap operation
- - Make dp requests more robust
* Tue Sep 29 2009 Stephen Gallagher <sgallagh at redhat.com> - 0.6.0-1
- - Ensure that the configuration upgrade script always writes the config
  file with 0600 permissions
- - Eliminate an infinite loop in group enumerations
* Mon Sep 28 2009 Sumit Bose <sbose at redhat.com> - 0.6.0-0
- - New upstream release 0.6.0
* Mon Aug 24 2009 Simo Sorce <ssorce at redhat.com> - 0.5.0-0
- - New upstream release 0.5.0
* Wed Jul 29 2009 Jakub Hrozek <jhrozek at redhat.com> - 0.4.1-4
- - Fix for CVE-2009-2410 - Native SSSD users with no password set could log in
  without a password. (Patch by Stephen Gallagher)
* Sun Jul 26 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.4.1-3
- - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Mon Jun 22 2009 Simo Sorce <ssorce at redhat.com> - 0.4.1-2
- - Fix a couple of segfaults that may happen on reload
* Thu Jun 11 2009 Simo Sorce <ssorce at redhat.com> - 0.4.1-1
- - add missing configure check that broke stopping the daemon
- - also fix default config to add a missing required option
* Mon Jun  8 2009 Simo Sorce <ssorce at redhat.com> - 0.4.1-0
- - latest upstream release.
- - also add a patch that fixes debugging output (potential segfault)
- --------------------------------------------------------------------------------
References:

  [ 1 ] Bug #553631 - CVE-2010-0014 SSSD accepts any password when offline with a valid TGT available
        https://bugzilla.redhat.com/show_bug.cgi?id=553631
- --------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update sssd' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
- --------------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFLTe1pWmhIvjFb90URAnP8AKCKbzu8O+jc9o3V4FljqDpyXpF0FwCfSJ5B
MoXIskZ4kR1vp0tOxZNDqVg=
=7LcP
-----END PGP SIGNATURE-----



Mehr Informationen über die Mailingliste Sec-cert