CVE-2017-7488

Impact:
Moderate
Public Date:
2017-05-09
CWE:
CWE-200
Bugzilla:
1441604: CVE-2017-7488 authconfig: Information leak when SSSD is used for authentication against remote server
A flaw was found where authconfig could configure sssd in a way that treats existing and non-existing logins differently, leaking information on existence of a user. An attacker with physical or network access to the machine could enumerate users via a timing attack.

Find out more about CVE-2017-7488 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 5.3
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Impact None
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 7 (authconfig) RHSA-2017:2285 2017-08-01

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 6 authconfig Not affected
Red Hat Enterprise Linux 5 authconfig Not affected

Acknowledgements

This issue was discovered by Tomas Mraz (Red Hat) and Thorsten Scherf (Red Hat).

Mitigation

Possible workaround (with side-effects):
authconfig --enablesysnetauth --update

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.