Bugzilla – Bug 1124194
VUL-0: CVE-2018-16838: sssd: improper implementation of GPOs due to too restrictive permissions
Last modified: 2024-07-16 15:40:13 UTC
rh#1640820 A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access. References: https://bugzilla.redhat.com/show_bug.cgi?id=1640820 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16838
Currently there is no further information regarding this issue. We will come back when we have more information
https://pagure.io/SSSD/sssd/c/ad058011b6b75b15c674be46a3ae9b3cc5228175
The issue in introduced in [1] when GPO-based access control was introduced om sssd. Based on this the first version which had GPO-based access control is 1.11.90. Tracked as affected SLE12-SP2,SLE12-SP4 and SLE15 [1] https://github.com/SSSD/sssd/commit/60cab26b12df9a2153823972cde0c38ca86e01b9
The patches are in the maintenance queue, assign to security team to close after release.
SUSE-SU-2019:1477-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1124194,1132879 CVE References: CVE-2018-16838 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): sssd-1.13.4-34.37.1 SUSE Linux Enterprise Server 12-SP3 (src): sssd-1.13.4-34.37.1 SUSE Linux Enterprise Desktop 12-SP3 (src): sssd-1.13.4-34.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1476-1: An update that solves one vulnerability and has three fixes is now available. Category: security (moderate) Bug References: 1124194,1132657,1132879,1135247 CVE References: CVE-2018-16838 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): sssd-1.16.1-3.24.6 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): sssd-1.16.1-3.24.6 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): sssd-1.16.1-3.24.6 SUSE Linux Enterprise Module for Basesystem 15 (src): sssd-1.16.1-3.24.6 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1480-1: An update that solves one vulnerability and has three fixes is now available. Category: security (moderate) Bug References: 1124194,1132657,1132879,1135247 CVE References: CVE-2018-16838 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): sssd-1.16.1-4.12.2 SUSE Linux Enterprise Server 12-SP4 (src): sssd-1.16.1-4.12.2 SUSE Linux Enterprise Desktop 12-SP4 (src): sssd-1.16.1-4.12.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1576-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1124194,1132879 CVE References: CVE-2018-16838 Sources used: openSUSE Leap 42.3 (src): sssd-1.13.4-21.1
openSUSE-SU-2019:1589-1: An update that solves one vulnerability and has three fixes is now available. Category: security (moderate) Bug References: 1124194,1132657,1132879,1135247 CVE References: CVE-2018-16838 Sources used: openSUSE Leap 15.1 (src): sssd-1.16.1-lp151.7.3.1 openSUSE Leap 15.0 (src): sssd-1.16.1-lp150.2.16.1
done