sssd experts,
On ~Dec 14th, CVE-2020-1472 was reported against RHEL7. It's a samba vulnerability. Among the very many vulnerable RPMs identified in the errata, they list samba-client-libs RPM.
The sssd-ad RPM has an RPM dependency on this samba-client-libs RPM. I believe the sssd-ad RPM is the RPM that provides the sssd backend to integrate with AD. Thus, if we remove sssd-ad RPM, I believe we'll break our current direct AD integration with sssd.
I'm trying to gauge our exposure. As documented exploits using this CVE are allegedly being seen in the wild, MITRE is rating this CVE as a 100. But I question that -- for our environment.
We directly integrate our RHEL7 and 8 clients to AD. Our AD DCs are true Windows domain controllers.
As I understand it, our exposure should be minimal or none because: 1. This CVE is mainly for if you run a Samba server as an AD DC (we do not), and 2. Since we directly integrate to AD from our sssd clients, I'm not sure that any code in this samba-client-libs RPM ever gets exercised.
Comments?
I realize this CVE will be remediated in our next Linux patch cycle (~mid-Jan). But I'm not sure all companies are as pro-active.
Spike
On Thu, Jan 07, 2021 at 05:00:13PM -0600, Spike White wrote:
sssd experts,
On ~Dec 14th, CVE-2020-1472 was reported against RHEL7. It's a samba vulnerability. Among the very many vulnerable RPMs identified in the errata, they list samba-client-libs RPM.
The sssd-ad RPM has an RPM dependency on this samba-client-libs RPM. I believe the sssd-ad RPM is the RPM that provides the sssd backend to integrate with AD. Thus, if we remove sssd-ad RPM, I believe we'll break our current direct AD integration with sssd.
I'm trying to gauge our exposure. As documented exploits using this CVE are allegedly being seen in the wild, MITRE is rating this CVE as a 100. But I question that -- for our environment.
We directly integrate our RHEL7 and 8 clients to AD. Our AD DCs are true Windows domain controllers.
As I understand it, our exposure should be minimal or none because:
- This CVE is mainly for if you run a Samba server as an AD DC (we do
not), and 2. Since we directly integrate to AD from our sssd clients, I'm not sure that any code in this samba-client-libs RPM ever gets exercised.
Hi,
after reading the CVE information and some related resources I would agree. It looks like the issue is related to changing password on domain controllers with the help of RPC calls. Since SSSD does not use RPC the affected code paths in the Samba libraries should not be touched by SSSD.
bye, Sumit
Comments?
I realize this CVE will be remediated in our next Linux patch cycle (~mid-Jan). But I'm not sure all companies are as pro-active.
Spike
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org