CVE-2017-12173
Find out more about CVE-2017-12173 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue affects the versions of sssd as shipped with Red Hat Satellite version 6.0. More recent versions of Satellite no longer ships sssd. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
CVSS v3 metrics
| CVSS3 Base Score | 4.3 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity Impact | None |
| Availability Impact | None |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 6 (sssd) | RHSA-2018:1877 | 2018-06-19 |
| Red Hat Enterprise Linux 7 (sssd) | RHSA-2017:3379 | 2017-12-05 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Satellite 6 | sssd | Will not fix |
| Red Hat Enterprise Linux 5 | sssd | Not affected |
Acknowledgements
This issue was discovered by Sumit Bose (Red Hat).Mitigation
It is possible to disable manually credential caching :
* Stop the sssd service
* Delete the cache (rm -f /var/lib/sss/db/* /var/log/sssd/*) or manually remove the hashes for the database
* In the sssd configuration file, change cache_credentials to False for each domains
* start the sssd service again
However, tools such as realmd & ipa-client-install might enable credential caching, and should be used with care.
