CVE-2023-3758 - OpenCVE

A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://access.redhat.com/errata/RHSA-2024:1919
https://access.redhat.com/errata/RHSA-2024:1920
https://access.redhat.com/errata/RHSA-2024:1921
https://access.redhat.com/errata/RHSA-2024:1922
https://access.redhat.com/errata/RHSA-2024:2571
https://access.redhat.com/errata/RHSA-2024:3270
https://access.redhat.com/security/cve/CVE-2023-3758
https://bugzilla.redhat.com/show_bug.cgi?id=2223762
https://github.com/SSSD/sssd/pull/7302
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RV3HIZI3SURBUQKSOOL3XE64OOBQ2HTK/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XEP62IDS7A55D5UHM6GH7QZ7SQFOAPVF/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMORAO2BDDA5YX4ZLMXDZ7SM6KU47SY5/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2024-04-18T19:06:44.216Z

Updated: 2024-06-04T17:17:31.274Z

Reserved: 2023-07-18T19:00:51.269Z

Link: CVE-2023-3758

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-04-18T19:15:08.597

Modified: 2024-05-22T18:15:09.053

Link: CVE-2023-3758

JSON object: View

Redhat Information

No data.

CWE

CWE-285

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3758", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-07-18T19:00:51.269Z", "datePublished": "2024-04-18T19:06:44.216Z", "dateUpdated": "2024-06-04T17:17:31.274Z"}, "containers": {"cna": {"title": "Sssd: race condition during authorization leads to gpo policies functioning inconsistently", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "sssd", "defaultStatus": "affected", "versions": [{"version": "0:2.9.4-3.el8_10", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::crb", "cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/o:redhat:enterprise_linux:8::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "sssd", "defaultStatus": "affected", "versions": [{"version": "0:2.9.4-3.el8_10", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::crb", "cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/o:redhat:enterprise_linux:8::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.6 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "sssd", "defaultStatus": "affected", "versions": [{"version": "0:2.6.2-4.el8_6.3", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:rhel_eus:8.6::baseos", "cpe:/a:redhat:rhel_eus:8.6::crb", "cpe:/o:redhat:rhev_hypervisor:4.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.8 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "sssd", "defaultStatus": "affected", "versions": [{"version": "0:2.8.2-4.el8_8.2", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:8.8::appstream", "cpe:/o:redhat:rhel_eus:8.8::baseos", "cpe:/a:redhat:rhel_eus:8.8::crb"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "sssd", "defaultStatus": "affected", "versions": [{"version": "0:2.9.4-6.el9_4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:9::baseos", "cpe:/a:redhat:enterprise_linux:9::crb", "cpe:/a:redhat:enterprise_linux:9::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "sssd", "defaultStatus": "affected", "versions": [{"version": "0:2.9.4-6.el9_4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:9::baseos", "cpe:/a:redhat:enterprise_linux:9::crb", "cpe:/a:redhat:enterprise_linux:9::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.0 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "sssd", "defaultStatus": "affected", "versions": [{"version": "0:2.6.2-4.el9_0.3", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:rhel_eus:9.0::baseos", "cpe:/a:redhat:rhel_eus:9.0::crb"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.2 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "sssd", "defaultStatus": "affected", "versions": [{"version": "0:2.8.2-5.el9_2.4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:rhel_eus:9.2::baseos", "cpe:/a:redhat:rhel_eus:9.2::crb", "cpe:/a:redhat:rhel_eus:9.2::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "sssd", "defaultStatus": "affected", "versions": [{"version": "0:2.6.2-4.el8_6.3", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:rhel_eus:8.6::baseos", "cpe:/a:redhat:rhel_eus:8.6::crb", "cpe:/o:redhat:rhev_hypervisor:4.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "sssd", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "sssd", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:1919", "name": "RHSA-2024:1919", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1920", "name": "RHSA-2024:1920", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1921", "name": "RHSA-2024:1921", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1922", "name": "RHSA-2024:1922", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2571", "name": "RHSA-2024:2571", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:3270", "name": "RHSA-2024:3270", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-3758", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2223762", "name": "RHBZ#2223762", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/SSSD/sssd/pull/7302"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RV3HIZI3SURBUQKSOOL3XE64OOBQ2HTK/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XEP62IDS7A55D5UHM6GH7QZ7SQFOAPVF/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMORAO2BDDA5YX4ZLMXDZ7SM6KU47SY5/"}], "datePublic": "2024-04-16T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "Improper Authorization", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-362->CWE-285: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') leads to Improper Authorization", "workarounds": [{"lang": "en", "value": "A mitigation can be applied to the sssd.conf file that would make the occurrence of the race condition more difficult:\n\n1. Increase the GPO cache time out editing the following configuration directive in sssd.conf file:\n a) ad_gpo_cache_timeout = 3600\n Ps.: This value (3600) should make the cache time out in one hour but would make GPO updates propagation from AD server to local machines take longer.\n\n[1] https://access.redhat.com/documentation/pt-br/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-gpo"}], "timeline": [{"lang": "en", "time": "2023-07-14T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-04-16T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-05-29T23:03:00.838Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-3758", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-25T20:00:33.440301Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:17:31.274Z"}}]}}

{"descriptions": [{"lang": "en", "value": "A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en la condici\u00f3n de ejecuci\u00f3n en sssd donde la pol\u00edtica de GPO no se aplica de manera consistente para los usuarios autenticados. Esto puede dar lugar a problemas de autorizaci\u00f3n inapropiados, otorgando o denegando acceso a recursos de manera inapropiada."}], "id": "CVE-2023-3758", "lastModified": "2024-05-22T18:15:09.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-04-18T19:15:08.597", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1919"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1920"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1921"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1922"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:2571"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:3270"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2023-3758"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2223762"}, {"source": "secalert@redhat.com", "url": "https://github.com/SSSD/sssd/pull/7302"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RV3HIZI3SURBUQKSOOL3XE64OOBQ2HTK/"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XEP62IDS7A55D5UHM6GH7QZ7SQFOAPVF/"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMORAO2BDDA5YX4ZLMXDZ7SM6KU47SY5/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "secalert@redhat.com", "type": "Primary"}]}