CVE-2023-3758

2024-04-1810:52:33

redhat.com

access.redhat.com

sssd

gpo policy

race condition

authorization

mitigation

sssd.conf

7.1 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

14.4%

JSON

A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.

Mitigation

A mitigation can be applied to the sssd.conf file that would make the occurrence of the race condition more difficult:

1. Increase the GPO cache time out editing the following configuration directive in sssd.conf file:
a) ad_gpo_cache_timeout = 3600
Ps.: This value (3600) should make the cache time out in one hour but would make GPO updates propagation from AD server to local machines take longer.

[1] <https://access.redhat.com/documentation/pt-br/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-gpo>