Red Hat SSSD Active Directory Integration Privilege Escalation Vulnerability

A vulnerability has been identified in the System Security Services Daemon (SSSD) integration with Active Directory on Linux systems. By default, SSSD does not activate the Kerberos local authentication plugin, which can lead to improper mapping of Kerberos principals to local users. This flaw allows an attacker with permission to alter specific Active Directory attributes, such as userPrincipalName or samAccountName, to impersonate privileged users like Administrator or root. Consequently, this could result in unauthorized access or elevated privileges on affected Linux hosts that are joined to the domain.

Impact

Exploitation of this vulnerability could allow an attacker to impersonate privileged users, leading to unauthorized access or privilege escalation on the affected system.

Reproduction

The vulnerability can be reproduced by modifying the userPrincipalName or samAccountName attributes of a user in Active Directory. Once these attributes are changed to impersonate a privileged user, the attacker can authenticate to the Linux system using Kerberos Single Sign-On (SSO) or password-based authentication, thereby gaining the privileges of the impersonated user.

Remediation

To address this vulnerability, ensure that the SSSD Kerberos local authentication plugin is enabled on domain-joined Linux systems. This can be done by configuring the plugin in the SSSD configuration file or the relevant krb5.conf files. Additionally, review and apply recommended hardening configurations for SSSD.