{
  "threat_severity" : "Moderate",
  "public_date" : "2024-04-16T00:00:00Z",
  "bugzilla" : {
    "description" : "sssd: Race condition during authorization leads to GPO policies functioning inconsistently",
    "id" : "2223762",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2223762"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-362",
  "details" : [ "A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately.", "A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately." ],
  "statement" : "This flaw is triggered by a race condition which makes it difficult to exploit. Also, it depends on non default GPO configuration on the server side. This two aspects lowers the severity of the issue to Moderate.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-05-22T00:00:00Z",
    "advisory" : "RHSA-2024:3270",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "sssd-0:2.9.4-3.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-05-22T00:00:00Z",
    "advisory" : "RHSA-2024:3270",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "sssd-0:2.9.4-3.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support",
    "release_date" : "2024-04-18T00:00:00Z",
    "advisory" : "RHSA-2024:1921",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.6",
    "package" : "sssd-0:2.6.2-4.el8_6.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-04-18T00:00:00Z",
    "advisory" : "RHSA-2024:1922",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.8",
    "package" : "sssd-0:2.8.2-4.el8_8.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2571",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "sssd-0:2.9.4-6.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2571",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "sssd-0:2.9.4-6.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support",
    "release_date" : "2024-04-18T00:00:00Z",
    "advisory" : "RHSA-2024:1919",
    "cpe" : "cpe:/o:redhat:rhel_eus:9.0",
    "package" : "sssd-0:2.6.2-4.el9_0.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-04-18T00:00:00Z",
    "advisory" : "RHSA-2024:1920",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "sssd-0:2.8.2-5.el9_2.4"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
    "release_date" : "2024-04-18T00:00:00Z",
    "advisory" : "RHSA-2024:1921",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4.4::el8",
    "package" : "sssd-0:2.6.2-4.el8_6.3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "sssd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "sssd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-3758\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-3758\nhttps://github.com/SSSD/sssd/pull/7302" ],
  "name" : "CVE-2023-3758",
  "mitigation" : {
    "value" : "A mitigation can be applied to the sssd.conf file that would make the occurrence of the race condition more difficult:\n1. Increase the GPO cache time out editing the following configuration directive in sssd.conf file:\na) ad_gpo_cache_timeout = 3600\nPs.: This value (3600) should make the cache time out in one hour but would make GPO updates propagation from AD server to local machines take longer.\n[1] https://access.redhat.com/documentation/pt-br/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-gpo",
    "lang" : "en:us"
  },
  "csaw" : false
}