CVE-2023-3758

Summary

A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.

Affected Software

VendorProductVersion RangeStatus
0 < 2.9.5affected
Red HatRed Hat Enterprise Linux 80:2.9.4-3.el8_10 < *unaffected
Red HatRed Hat Enterprise Linux 80:2.9.4-3.el8_10 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Extended Update Support0:2.6.2-4.el8_6.3 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Extended Update Support0:2.8.2-4.el8_8.2 < *unaffected
Red HatRed Hat Enterprise Linux 90:2.9.4-6.el9_4 < *unaffected
Red HatRed Hat Enterprise Linux 90:2.9.4-6.el9_4 < *unaffected
Red HatRed Hat Enterprise Linux 9.0 Extended Update Support0:2.6.2-4.el9_0.3 < *unaffected
Red HatRed Hat Enterprise Linux 9.2 Extended Update Support0:2.8.2-5.el9_2.4 < *unaffected
Red HatRed Hat Virtualization 4 for Red Hat Enterprise Linux 80:2.6.2-4.el8_6.3 < *unaffected

Weaknesses

  • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Workarounds

A mitigation can be applied to the sssd.conf file that would make the occurrence of the race condition more difficult:

  1. Increase the GPO cache time out editing the following configuration directive in sssd.conf file: a) ad_gpo_cache_timeout = 3600 Ps.: This value (3600) should make the cache time out in one hour but would make GPO updates propagation from AD server to local machines take longer.

[1] https://access.redhat.com/documentation/pt-br/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-gpo

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References