[Pkg-sssd-devel] Bug#1117935: sssd: CVE-2025-11561
Salvatore Bonaccorso
carnil at debian.org
Sun Oct 12 19:58:31 BST 2025
Source: sssd
Version: 2.10.1-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/SSSD/sssd/issues/8021
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for sssd.
Right now this is mainly for tracking purposes. My understanding is
that there is no fix planned in near future, and mitigation exists by
enabling explicitly the sssd_krb5_localauth_plugin plugin.
CVE-2025-11561[0]:
| A flaw was found in the integration of Active Directory and the
| System Security Services Daemon (SSSD) on Linux systems. In default
| configurations, the Kerberos local authentication plugin
| (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln
| plugin is possible. This fallback allows an attacker with permission
| to modify certain AD attributes (such as userPrincipalName or
| samAccountName) to impersonate privileged users, potentially
| resulting in unauthorized access or privilege escalation on domain-
| joined Linux hosts.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-11561
https://www.cve.org/CVERecord?id=CVE-2025-11561
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2402727
[2] https://blog.async.sg/kerberos-ldr
[3] https://github.com/SSSD/sssd/issues/8021
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-sssd-devel
mailing list