CVE-2023-3758
📋 TL;DR
A race condition in SSSD (System Security Services Daemon) causes inconsistent application of Group Policy Object (GPO) policies for authenticated users. This can lead to improper authorization decisions, potentially granting or denying access to resources incorrectly. Systems using SSSD for authentication/authorization with Active Directory integration are affected.
💻 Affected Systems
- sssd
📦 What is this software?
Codeready Linux Builder For Arm64 by Redhat
Codeready Linux Builder For Arm64 Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Arm64 Eus →
Codeready Linux Builder For Arm64 Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Arm64 Eus →
Codeready Linux Builder For Arm64 Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Arm64 Eus →
Codeready Linux Builder For Arm64 Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Arm64 Eus →
Codeready Linux Builder For Arm64 Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Arm64 Eus →
Codeready Linux Builder For Arm64 Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Arm64 Eus →
Codeready Linux Builder For Ibm Z Systems by Redhat
View all CVEs affecting Codeready Linux Builder For Ibm Z Systems →
Codeready Linux Builder For Ibm Z Systems Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Ibm Z Systems Eus →
Codeready Linux Builder For Ibm Z Systems Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Ibm Z Systems Eus →
Codeready Linux Builder For Ibm Z Systems Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Ibm Z Systems Eus →
Codeready Linux Builder For Ibm Z Systems Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Ibm Z Systems Eus →
Codeready Linux Builder For Ibm Z Systems Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Ibm Z Systems Eus →
Codeready Linux Builder For Ibm Z Systems Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Ibm Z Systems Eus →
Codeready Linux Builder For Power Little Endian by Redhat
View all CVEs affecting Codeready Linux Builder For Power Little Endian →
Codeready Linux Builder For Power Little Endian Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Power Little Endian Eus →
Codeready Linux Builder For Power Little Endian Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Power Little Endian Eus →
Codeready Linux Builder For Power Little Endian Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Power Little Endian Eus →
Codeready Linux Builder For Power Little Endian Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Power Little Endian Eus →
Codeready Linux Builder For Power Little Endian Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Power Little Endian Eus →
Codeready Linux Builder For Power Little Endian Eus by Redhat
View all CVEs affecting Codeready Linux Builder For Power Little Endian Eus →
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →
Enterprise Linux Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →
Enterprise Linux Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →
Enterprise Linux Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →
Enterprise Linux Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →
Enterprise Linux Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Update Services For Sap Solutions →
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Sssd by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users gain access to sensitive resources or authorized users are improperly denied access to critical systems, potentially leading to data breaches or operational disruption.
Likely Case
Intermittent authorization failures or unexpected access permissions for users in AD-integrated environments, causing access control inconsistencies.
If Mitigated
Minimal impact with proper network segmentation and additional authorization controls, though inconsistent policy application may still occur.
🎯 Exploit Status
Exploitation requires timing attacks during user authentication processes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check specific Red Hat advisories for patched versions
Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:1919
Restart Required: Yes
Instructions:
1. Check current sssd version. 2. Apply appropriate Red Hat security update via yum update sssd. 3. Restart sssd service: systemctl restart sssd. 4. Verify update applied.
🔧 Temporary Workarounds
Disable GPO enforcement
linuxTemporarily disable GPO policy enforcement in SSSD configuration
sed -i 's/^ldap_gpo.*/ldap_gpo = False/' /etc/sssd/sssd.conf
systemctl restart sssd
🧯 If You Can't Patch
- Implement additional network segmentation to limit access to sensitive resources
- Add secondary authorization controls independent of SSSD GPO policies
🔍 How to Verify
Check if Vulnerable:
Check sssd version and if using AD GPO: rpm -q sssd && grep ldap_gpo /etc/sssd/sssd.confCheck Version:
rpm -q sssd --queryformat '%{VERSION}-%{RELEASE}\n'Verify Fix Applied:
Verify updated sssd version and test authentication with GPO policies📡 Detection & Monitoring
Log Indicators:
- SSSD logs showing inconsistent GPO application
- Authentication failures/successes that violate expected policies
Network Indicators:
- Unexpected LDAP queries during authentication
SIEM Query:
source="sssd" AND ("GPO" OR "policy") AND ("inconsistent" OR "race")🔗 References
- https://access.redhat.com/errata/RHSA-2024:1919
- https://access.redhat.com/errata/RHSA-2024:1920
- https://access.redhat.com/errata/RHSA-2024:1921
- https://access.redhat.com/errata/RHSA-2024:1922
- https://access.redhat.com/errata/RHSA-2024:2571
- https://access.redhat.com/errata/RHSA-2024:3270
- https://access.redhat.com/security/cve/CVE-2023-3758
- https://bugzilla.redhat.com/show_bug.cgi?id=2223762
- https://github.com/SSSD/sssd/pull/7302
- https://access.redhat.com/errata/RHSA-2024:1919
- https://access.redhat.com/errata/RHSA-2024:1920
- https://access.redhat.com/errata/RHSA-2024:1921
- https://access.redhat.com/errata/RHSA-2024:1922
- https://access.redhat.com/errata/RHSA-2024:2571
- https://access.redhat.com/errata/RHSA-2024:3270
- https://access.redhat.com/security/cve/CVE-2023-3758
- https://bugzilla.redhat.com/show_bug.cgi?id=2223762
- https://github.com/SSSD/sssd/pull/7302
- https://lists.debian.org/debian-lts-announce/2025/02/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RV3HIZI3SURBUQKSOOL3XE64OOBQ2HTK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XEP62IDS7A55D5UHM6GH7QZ7SQFOAPVF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMORAO2BDDA5YX4ZLMXDZ7SM6KU47SY5/
