Public Date:
1498173: CVE-2017-12173 sssd: unsanitized input when searching in local cache database
It was found that sssd's sysdb_search_user_by_upn_res() function did not sanitize requests when querying its local cache and was vulnerable to injection. In a centralized login environment, if a password hash was locally cached for a given user, an authenticated attacker could use this flaw to retrieve it.

Find out more about CVE-2017-12173 from the MITRE CVE dictionary dictionary and NIST NVD.


This issue affects the versions of sssd as shipped with Red Hat Satellite version 6.0. More recent versions of Satellite no longer ships sssd. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification:

CVSS v3 metrics

CVSS3 Base Score 4.3
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Impact None
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 6 (sssd) RHSA-2018:1877 2018-06-19
Red Hat Enterprise Linux 7 (sssd) RHSA-2017:3379 2017-12-05

Affected Packages State

Platform Package State
Red Hat Satellite 6 sssd Will not fix
Red Hat Enterprise Linux 5 sssd Not affected


This issue was discovered by Sumit Bose (Red Hat).


It is possible to disable manually credential caching :
* Stop the sssd service
* Delete the cache (rm -f /var/lib/sss/db/* /var/log/sssd/*) or manually remove the hashes for the database
* In the sssd configuration file, change cache_credentials to False for each domains
* start the sssd service again

However, tools such as realmd & ipa-client-install might enable credential caching, and should be used with care.

Last Modified