sssd: Fix CVE-2023-3758

A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately. References: https://nvd.nist.gov/vuln/detail/CVE-2023-3758 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Soumya Sambu <soumya.sambu@windriver.com> 2024-04-22 02:50:45 +0000
committer: Armin Kuster <akuster808@gmail.com> 2024-05-05 08:37:19 -0400
commit: 353078bc06c8b471736daab6ed193e30d533d1f1 (patch)
tree: cf153da483ca19bf3b9180587170fbc3ba0e9dda
parent: 1a3e42cedbd94ca73be45800d0e902fec35d0f0f (diff)
download: meta-security-353078bc06c8b471736daab6ed193e30d533d1f1.tar.gz
2 files changed, 222 insertions, 0 deletions
diff --git a/recipes-security/sssd/files/CVE-2023-3758.patch b/recipes-security/sssd/files/CVE-2023-3758.patch
new file mode 100644
index 0000000..b604d64
--- /dev/null
+++ b/recipes-security/sssd/files/CVE-2023-3758.patch
@@ -0,0 +1,221 @@
+From f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 8 Nov 2023 14:50:24 +0100
+Subject: [PATCH] ad-gpo: use hash to store intermediate results
+Currently after the evaluation of a single GPO file the intermediate
+results are stored in the cache and this cache entry is updated until
+all applicable GPO files are evaluated. Finally the data in the cache is
+used to make the decision of access is granted or rejected.
+If there are two or more access-control request running in parallel one
+request might overwrite the cache object with intermediate data while
+another request reads the cached data for the access decision and as a
+result will do this decision based on intermediate data.
+To avoid this the intermediate results are not stored in the cache
+anymore but in hash tables which are specific to the request. Only the
+final result is written to the cache to have it available for offline
+authentication.
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
+CVE: CVE-2023-3758
+Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/providers/ad/ad_gpo.c | 118 +++++++++++++++++++++++++++++++++-----
+ 1 file changed, 103 insertions(+), 15 deletions(-)
+diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
+index 219f398..fc9691e 100644
+--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
+@@ -1314,6 +1314,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
+     return ret;
+ }
+static errno_t
+add_result_to_hash(hash_table_t *hash, const char *key, char *value)
+{
+    int hret;
+    hash_key_t k;
+    hash_value_t v;
+
+    if (hash == NULL || key == NULL || value == NULL) {
+        return EINVAL;
+    }
+
+    k.type = HASH_KEY_CONST_STRING;
+    k.c_str = key;
+
+    v.type = HASH_VALUE_PTR;
+    v.ptr = value;
+
+    hret = hash_enter(hash, &k, &v);
+    if (hret != HASH_SUCCESS) {
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
+                                 key, value, hash_error_string(hret));
+        return EIO;
+    }
+
+    return EOK;
+}
+
+ /*
+  * This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
+  * and stores the allow_key and deny_key of all of the gpo_map_types present
+@@ -1321,6 +1348,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
+  */
+ static errno_t
+ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+                             hash_table_t *allow_maps, hash_table_t *deny_maps,
+                              const char *filename)
+ {
+     struct ini_cfgfile *file_ctx = NULL;
+@@ -1454,14 +1482,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+                 goto done;
+             } else if (ret != ENOENT) {
+                 const char *value = allow_value ? allow_value : empty_val;
+-                ret = sysdb_gpo_store_gpo_result_setting(domain,
+-                                                         allow_key,
+-                                                         value);
+-                if (ret != EOK) {
+-                    DEBUG(SSSDBG_CRIT_FAILURE,
+-                          "sysdb_gpo_store_gpo_result_setting failed for key:"
+-                          "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
+-                          ret, sss_strerror(ret));
+                ret = add_result_to_hash(allow_maps, allow_key,
+                                         talloc_strdup(allow_maps, value));
+               if (ret != EOK) {
+                    DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
+                                               "value: [%s] to allow maps "
+                                               "[%d][%s].\n",
+                                               allow_key, value, ret,
+                                               sss_strerror(ret));
+                     goto done;
+                 }
+             }
+@@ -1481,14 +1509,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+                 goto done;
+             } else if (ret != ENOENT) {
+                 const char *value = deny_value ? deny_value : empty_val;
+-                ret = sysdb_gpo_store_gpo_result_setting(domain,
+-                                                         deny_key,
+-                                                         value);
+               ret = add_result_to_hash(deny_maps, deny_key,
+                                         talloc_strdup(deny_maps, value));
+                 if (ret != EOK) {
+-                    DEBUG(SSSDBG_CRIT_FAILURE,
+-                          "sysdb_gpo_store_gpo_result_setting failed for key:"
+-                          "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
+-                          ret, sss_strerror(ret));
+                    DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
+                                               "value: [%s] to deny maps "
+                                               "[%d][%s].\n",
+                                               deny_key, value, ret,
+                                               sss_strerror(ret));
+                     goto done;
+                 }
+             }
+@@ -1781,6 +1809,8 @@ struct ad_gpo_access_state {
+     int num_cse_filtered_gpos;
+     int cse_gpo_index;
+     const char *ad_domain;
+    hash_table_t *allow_maps;
+    hash_table_t *deny_maps;
+ };
+ static void ad_gpo_connect_done(struct tevent_req *subreq);
+@@ -1903,6 +1933,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
+         goto immediately;
+     }
+    ret = sss_hash_create(state, 0, &state->allow_maps);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
+              "hash table [%d]: %s\n", ret, sss_strerror(ret));
+        goto immediately;
+    }
+
+    ret = sss_hash_create(state, 0, &state->deny_maps);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
+              "hash table [%d]: %s\n", ret, sss_strerror(ret));
+        goto immediately;
+    }
+     subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
+     if (subreq == NULL) {
+@@ -2722,6 +2765,43 @@ ad_gpo_cse_step(struct tevent_req *req)
+     return EAGAIN;
+ }
+static errno_t
+store_hash_maps_in_cache(struct sss_domain_info *domain,
+                         hash_table_t *allow_maps, hash_table_t *deny_maps)
+{
+    int ret;
+    struct hash_iter_context_t *iter;
+    hash_entry_t *entry;
+    size_t c;
+    hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
+
+
+    for (c = 0; hash_list[c] != NULL; c++) {
+        iter = new_hash_iter_context(hash_list[c]);
+        if (iter == NULL) {
+            DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
+            return EINVAL;
+        }
+
+        while ((entry = iter->next(iter)) != NULL) {
+            ret = sysdb_gpo_store_gpo_result_setting(domain,
+                                                     entry->key.c_str,
+                                                     entry->value.ptr);
+            if (ret != EOK) {
+                free(iter);
+                DEBUG(SSSDBG_OP_FAILURE,
+                      "sysdb_gpo_store_gpo_result_setting failed for key:"
+                      "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
+                      (char *) entry->value.ptr, ret, sss_strerror(ret));
+                return ret;
+            }
+        }
+        talloc_free(iter);
+    }
+
+    return EOK;
+}
+
+ /*
+  * This cse-specific function (GP_EXT_GUID_SECURITY) increments the
+  * cse_gpo_index until the policy settings for all applicable GPOs have been
+@@ -2763,6 +2843,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
+      * (as part of the GPO Result object in the sysdb cache).
+      */
+     ret = ad_gpo_store_policy_settings(state->host_domain,
+                                       state->allow_maps, state->deny_maps,
+                                        cse_filtered_gpo->policy_filename);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_OP_FAILURE,
+@@ -2776,6 +2857,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
+     if (ret == EOK) {
+         /* ret is EOK only after all GPO policy files have been downloaded */
+        ret = store_hash_maps_in_cache(state->host_domain,
+                                       state->allow_maps, state->deny_maps);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
+                                     "[%d][%s].\n", ret, sss_strerror(ret));
+            goto done;
+        }
+         ret = ad_gpo_perform_hbac_processing(state,
+                                              state->gpo_mode,
+                                              state->gpo_map_type,
+--
+2.40.0
diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/sssd_2.5.2.bb
index 4c75e0a..c07559c 100644
--- a/recipes-security/sssd/sssd_2.5.2.bb
+++ b/recipes-security/sssd/sssd_2.5.2.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g
           file://fix-ldblibdir.patch \
           file://musl_fixup.patch \
           file://CVE-2021-3621.patch \
+           file://CVE-2023-3758.patch \
           "
 SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f"
author	Soumya Sambu <soumya.sambu@windriver.com>	2024-04-22 02:50:45 +0000
committer	Armin Kuster <akuster808@gmail.com>	2024-05-05 08:37:19 -0400
commit	353078bc06c8b471736daab6ed193e30d533d1f1 (patch)
tree	cf153da483ca19bf3b9180587170fbc3ba0e9dda
parent	1a3e42cedbd94ca73be45800d0e902fec35d0f0f (diff)
download	meta-security-353078bc06c8b471736daab6ed193e30d533d1f1.tar.gz

diff --git a/recipes-security/sssd/files/CVE-2023-3758.patch b/recipes-security/sssd/files/CVE-2023-3758.patch new file mode 100644 index 0000000..b604d64 --- /dev/null +++ b/recipes-security/sssd/files/CVE-2023-3758.patch
@@ -0,0 +1,221 @@
		1	From f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 Mon Sep 17 00:00:00 2001
		2	From: Sumit Bose <sbose@redhat.com>
		3	Date: Wed, 8 Nov 2023 14:50:24 +0100
		4	Subject: [PATCH] ad-gpo: use hash to store intermediate results
		5
		6	Currently after the evaluation of a single GPO file the intermediate
		7	results are stored in the cache and this cache entry is updated until
		8	all applicable GPO files are evaluated. Finally the data in the cache is
		9	used to make the decision of access is granted or rejected.
		10
		11	If there are two or more access-control request running in parallel one
		12	request might overwrite the cache object with intermediate data while
		13	another request reads the cached data for the access decision and as a
		14	result will do this decision based on intermediate data.
		15
		16	To avoid this the intermediate results are not stored in the cache
		17	anymore but in hash tables which are specific to the request. Only the
		18	final result is written to the cache to have it available for offline
		19	authentication.
		20
		21	Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
		22	Reviewed-by: Tomáš Halman <thalman@redhat.com>
		23	(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
		24
		25	CVE: CVE-2023-3758
		26
		27	Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726]
		28
		29	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		30	---
		31	src/providers/ad/ad_gpo.c \| 118 +++++++++++++++++++++++++++++++++-----
		32	1 file changed, 103 insertions(+), 15 deletions(-)
		33
		34	diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
		35	index 219f398..fc9691e 100644
		36	--- a/src/providers/ad/ad_gpo.c
		37	+++ b/src/providers/ad/ad_gpo.c
		38	@@ -1314,6 +1314,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
		39	return ret;
		40	}
		41
		42	+static errno_t
		43	+add_result_to_hash(hash_table_t hash, const char key, char *value)
		44	+{
		45	+ int hret;
		46	+ hash_key_t k;
		47	+ hash_value_t v;
		48	+
		49	+ if (hash == NULL \|\| key == NULL \|\| value == NULL) {
		50	+ return EINVAL;
		51	+ }
		52	+
		53	+ k.type = HASH_KEY_CONST_STRING;
		54	+ k.c_str = key;
		55	+
		56	+ v.type = HASH_VALUE_PTR;
		57	+ v.ptr = value;
		58	+
		59	+ hret = hash_enter(hash, &k, &v);
		60	+ if (hret != HASH_SUCCESS) {
		61	+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
		62	+ key, value, hash_error_string(hret));
		63	+ return EIO;
		64	+ }
		65	+
		66	+ return EOK;
		67	+}
		68	+
		69	/*
		70	* This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
		71	* and stores the allow_key and deny_key of all of the gpo_map_types present
		72	@@ -1321,6 +1348,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
		73	*/
		74	static errno_t
		75	ad_gpo_store_policy_settings(struct sss_domain_info *domain,
		76	+ hash_table_t allow_maps, hash_table_t deny_maps,
		77	const char *filename)
		78	{
		79	struct ini_cfgfile *file_ctx = NULL;
		80	@@ -1454,14 +1482,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
		81	goto done;
		82	} else if (ret != ENOENT) {
		83	const char *value = allow_value ? allow_value : empty_val;
		84	- ret = sysdb_gpo_store_gpo_result_setting(domain,
		85	- allow_key,
		86	- value);
		87	- if (ret != EOK) {
		88	- DEBUG(SSSDBG_CRIT_FAILURE,
		89	- "sysdb_gpo_store_gpo_result_setting failed for key:"
		90	- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
		91	- ret, sss_strerror(ret));
		92	+ ret = add_result_to_hash(allow_maps, allow_key,
		93	+ talloc_strdup(allow_maps, value));
		94	+ if (ret != EOK) {
		95	+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
		96	+ "value: [%s] to allow maps "
		97	+ "[%d][%s].\n",
		98	+ allow_key, value, ret,
		99	+ sss_strerror(ret));
		100	goto done;
		101	}
		102	}
		103	@@ -1481,14 +1509,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
		104	goto done;
		105	} else if (ret != ENOENT) {
		106	const char *value = deny_value ? deny_value : empty_val;
		107	- ret = sysdb_gpo_store_gpo_result_setting(domain,
		108	- deny_key,
		109	- value);
		110	+ ret = add_result_to_hash(deny_maps, deny_key,
		111	+ talloc_strdup(deny_maps, value));
		112	if (ret != EOK) {
		113	- DEBUG(SSSDBG_CRIT_FAILURE,
		114	- "sysdb_gpo_store_gpo_result_setting failed for key:"
		115	- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
		116	- ret, sss_strerror(ret));
		117	+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
		118	+ "value: [%s] to deny maps "
		119	+ "[%d][%s].\n",
		120	+ deny_key, value, ret,
		121	+ sss_strerror(ret));
		122	goto done;
		123	}
		124	}
		125	@@ -1781,6 +1809,8 @@ struct ad_gpo_access_state {
		126	int num_cse_filtered_gpos;
		127	int cse_gpo_index;
		128	const char *ad_domain;
		129	+ hash_table_t *allow_maps;
		130	+ hash_table_t *deny_maps;
		131	};
		132
		133	static void ad_gpo_connect_done(struct tevent_req *subreq);
		134	@@ -1903,6 +1933,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
		135	goto immediately;
		136	}
		137
		138	+ ret = sss_hash_create(state, 0, &state->allow_maps);
		139	+ if (ret != EOK) {
		140	+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
		141	+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
		142	+ goto immediately;
		143	+ }
		144	+
		145	+ ret = sss_hash_create(state, 0, &state->deny_maps);
		146	+ if (ret != EOK) {
		147	+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
		148	+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
		149	+ goto immediately;
		150	+ }
		151
		152	subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
		153	if (subreq == NULL) {
		154	@@ -2722,6 +2765,43 @@ ad_gpo_cse_step(struct tevent_req *req)
		155	return EAGAIN;
		156	}
		157
		158	+static errno_t
		159	+store_hash_maps_in_cache(struct sss_domain_info *domain,
		160	+ hash_table_t allow_maps, hash_table_t deny_maps)
		161	+{
		162	+ int ret;
		163	+ struct hash_iter_context_t *iter;
		164	+ hash_entry_t *entry;
		165	+ size_t c;
		166	+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
		167	+
		168	+
		169	+ for (c = 0; hash_list[c] != NULL; c++) {
		170	+ iter = new_hash_iter_context(hash_list[c]);
		171	+ if (iter == NULL) {
		172	+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
		173	+ return EINVAL;
		174	+ }
		175	+
		176	+ while ((entry = iter->next(iter)) != NULL) {
		177	+ ret = sysdb_gpo_store_gpo_result_setting(domain,
		178	+ entry->key.c_str,
		179	+ entry->value.ptr);
		180	+ if (ret != EOK) {
		181	+ free(iter);
		182	+ DEBUG(SSSDBG_OP_FAILURE,
		183	+ "sysdb_gpo_store_gpo_result_setting failed for key:"
		184	+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
		185	+ (char *) entry->value.ptr, ret, sss_strerror(ret));
		186	+ return ret;
		187	+ }
		188	+ }
		189	+ talloc_free(iter);
		190	+ }
		191	+
		192	+ return EOK;
		193	+}
		194	+
		195	/*
		196	* This cse-specific function (GP_EXT_GUID_SECURITY) increments the
		197	* cse_gpo_index until the policy settings for all applicable GPOs have been
		198	@@ -2763,6 +2843,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
		199	* (as part of the GPO Result object in the sysdb cache).
		200	*/
		201	ret = ad_gpo_store_policy_settings(state->host_domain,
		202	+ state->allow_maps, state->deny_maps,
		203	cse_filtered_gpo->policy_filename);
		204	if (ret != EOK) {
		205	DEBUG(SSSDBG_OP_FAILURE,
		206	@@ -2776,6 +2857,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
		207
		208	if (ret == EOK) {
		209	/* ret is EOK only after all GPO policy files have been downloaded */
		210	+ ret = store_hash_maps_in_cache(state->host_domain,
		211	+ state->allow_maps, state->deny_maps);
		212	+ if (ret != EOK) {
		213	+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
		214	+ "[%d][%s].\n", ret, sss_strerror(ret));
		215	+ goto done;
		216	+ }
		217	ret = ad_gpo_perform_hbac_processing(state,
		218	state->gpo_mode,
		219	state->gpo_map_type,
		220	--
		221	2.40.0


diff --git a/recipes-security/sssd/sssd_2.5.2.bb b/recipes-security/sssd/sssd_2.5.2.bb index 4c75e0a..c07559c 100644 --- a/recipes-security/sssd/sssd_2.5.2.bb +++ b/recipes-security/sssd/sssd_2.5.2.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g
24	file://fix-ldblibdir.patch \	24	file://fix-ldblibdir.patch \
25	file://musl_fixup.patch \	25	file://musl_fixup.patch \
26	file://CVE-2021-3621.patch \	26	file://CVE-2021-3621.patch \
		27	file://CVE-2023-3758.patch \
27	"	28	"
28		29
29	SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f"	30	SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f"