Описание
Authconfig version 6.2.8 is vulnerable to an Information exposure while using SSSD to authenticate against remote server resulting in the leak of information about existing usernames.
A flaw was found where authconfig could configure sssd in a way that treats existing and non-existing logins differently, leaking information on existence of a user. An attacker with physical or network access to the machine could enumerate users via a timing attack.
Меры по смягчению последствий
Possible workaround (with side-effects): authconfig --enablesysnetauth --update
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | authconfig | Not affected | ||
| Red Hat Enterprise Linux 6 | authconfig | Not affected | ||
| Red Hat Enterprise Linux 7 | authconfig | Fixed | RHSA-2017:2285 | 01.08.2017 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
Authconfig version 6.2.8 is vulnerable to an Information exposure while using SSSD to authenticate against remote server resulting in the leak of information about existing usernames.
Authconfig version 6.2.8 is vulnerable to an Information exposure while using SSSD to authenticate against remote server resulting in the leak of information about existing usernames.
ELSA-2017-2285: authconfig security, bug fix, and enhancement update (MODERATE)
EPSS
5.3 Medium
CVSS3