CVE-2023-3758
7.1
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
0 < 2.9.5 | affected | ||
| Red Hat | Red Hat Enterprise Linux 8 | 0:2.9.4-3.el8_10 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 8 | 0:2.9.4-3.el8_10 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 8.6 Extended Update Support | 0:2.6.2-4.el8_6.3 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 8.8 Extended Update Support | 0:2.8.2-4.el8_8.2 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 9 | 0:2.9.4-6.el9_4 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 9 | 0:2.9.4-6.el9_4 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 9.0 Extended Update Support | 0:2.6.2-4.el9_0.3 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 9.2 Extended Update Support | 0:2.8.2-5.el9_2.4 < * | unaffected |
| Red Hat | Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 | 0:2.6.2-4.el8_6.3 < * | unaffected |
Weaknesses
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Workarounds
A mitigation can be applied to the sssd.conf file that would make the occurrence of the race condition more difficult:
- Increase the GPO cache time out editing the following configuration directive in sssd.conf file: a) ad_gpo_cache_timeout = 3600 Ps.: This value (3600) should make the cache time out in one hour but would make GPO updates propagation from AD server to local machines take longer.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
- https://access.redhat.com/errata/RHSA-2024:1919
- https://access.redhat.com/errata/RHSA-2024:1920
- https://access.redhat.com/errata/RHSA-2024:1921
- https://access.redhat.com/errata/RHSA-2024:1922
- https://access.redhat.com/errata/RHSA-2024:2571
- https://access.redhat.com/errata/RHSA-2024:3270
- https://access.redhat.com/security/cve/CVE-2023-3758
- https://bugzilla.redhat.com/show_bug.cgi?id=2223762
- https://github.com/SSSD/sssd/pull/7302
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RV3HIZI3SURBUQKSOOL3XE64OOBQ2HTK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XEP62IDS7A55D5UHM6GH7QZ7SQFOAPVF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMORAO2BDDA5YX4ZLMXDZ7SM6KU47SY5/
- https://lists.debian.org/debian-lts-announce/2025/02/msg00008.html
References
- https://access.redhat.com/errata/RHSA-2024:1919
- https://access.redhat.com/errata/RHSA-2024:1920
- https://access.redhat.com/errata/RHSA-2024:1921
- https://access.redhat.com/errata/RHSA-2024:1922
- https://access.redhat.com/errata/RHSA-2024:2571
- https://access.redhat.com/errata/RHSA-2024:3270
- https://access.redhat.com/security/cve/CVE-2023-3758
- https://bugzilla.redhat.com/show_bug.cgi?id=2223762
- https://github.com/SSSD/sssd/pull/7302
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.