CVE-2015-5292
sssd: memory leak in the sssd_pac_plugin
Severity Score
6.8
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Memory leak in the Privilege Attribute Certificate (PAC) responder plugin (sssd_pac_plugin.so) in System Security Services Daemon (SSSD) 1.10 before 1.13.1 allows remote authenticated users to cause a denial of service (memory consumption) via a large number of logins that trigger parsing of PAC blobs during Kerberos authentication.
Fuga de memoria en el plugin en Privilege Attribute Certificate (PAC) responder (sssd_pac_plugin.so) en System Security Services Daemon (SSSD) 1.10 en versiones anteriores a 1.13.1 permite a usuarios remotos autenticados provocar una denegación de servicio (consumo de memoria) a través de un gran número de logins que desencadenan análisis gramaticales de blobs de PAC durante la autenticación Kerberos.
It was found that SSSD's Privilege Attribute Certificate (PAC) responder plug-in would leak a small amount of memory on each authentication request. A remote attacker could potentially use this flaw to exhaust all available memory on the system by making repeated requests to a Kerberized daemon application configured to authenticate using the PAC responder plug-in.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2015-07-01 CVE Reserved
- 2015-10-29 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-399: Resource Management Errors
- CWE-401: Missing Release of Memory after Effective Lifetime
CAPEC
References (14)
| URL | Tag | Source |
|---|---|---|
| http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html | X_refsource_confirm |
|
| http://www.securityfocus.com/bid/77529 | Vdb Entry | |
| http://www.securitytracker.com/id/1034038 | Vdb Entry | |
| https://fedorahosted.org/sssd/attachment/ticket/2803/0001-Fix-memory-leak-in-sssdpac_verify.patch | X_refsource_confirm | |
| https://fedorahosted.org/sssd/ticket/2803 | X_refsource_confirm | |
| https://fedorahosted.org/sssd/wiki/Releases/Notes-1.13.1 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Fedoraproject Search vendor "Fedoraproject" | Sssd Search vendor "Fedoraproject" for product "Sssd" | 1.10.0 Search vendor "Fedoraproject" for product "Sssd" and version "1.10.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Sssd Search vendor "Fedoraproject" for product "Sssd" | 1.10.1 Search vendor "Fedoraproject" for product "Sssd" and version "1.10.1" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Sssd Search vendor "Fedoraproject" for product "Sssd" | 1.11.0 Search vendor "Fedoraproject" for product "Sssd" and version "1.11.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Sssd Search vendor "Fedoraproject" for product "Sssd" | 1.11.1 Search vendor "Fedoraproject" for product "Sssd" and version "1.11.1" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Sssd Search vendor "Fedoraproject" for product "Sssd" | 1.11.2 Search vendor "Fedoraproject" for product "Sssd" and version "1.11.2" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Sssd Search vendor "Fedoraproject" for product "Sssd" | 1.11.3 Search vendor "Fedoraproject" for product "Sssd" and version "1.11.3" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Sssd Search vendor "Fedoraproject" for product "Sssd" | 1.11.4 Search vendor "Fedoraproject" for product "Sssd" and version "1.11.4" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Sssd Search vendor "Fedoraproject" for product "Sssd" | 1.11.5 Search vendor "Fedoraproject" for product "Sssd" and version "1.11.5" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Sssd Search vendor "Fedoraproject" for product "Sssd" | 1.11.6 Search vendor "Fedoraproject" for product "Sssd" and version "1.11.6" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Sssd Search vendor "Fedoraproject" for product "Sssd" | 1.11.7 Search vendor "Fedoraproject" for product "Sssd" and version "1.11.7" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Sssd Search vendor "Fedoraproject" for product "Sssd" | 1.12.0 Search vendor "Fedoraproject" for product "Sssd" and version "1.12.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Sssd Search vendor "Fedoraproject" for product "Sssd" | 1.12.1 Search vendor "Fedoraproject" for product "Sssd" and version "1.12.1" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Sssd Search vendor "Fedoraproject" for product "Sssd" | 1.12.2 Search vendor "Fedoraproject" for product "Sssd" and version "1.12.2" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Sssd Search vendor "Fedoraproject" for product "Sssd" | 1.12.3 Search vendor "Fedoraproject" for product "Sssd" and version "1.12.3" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Sssd Search vendor "Fedoraproject" for product "Sssd" | 1.12.4 Search vendor "Fedoraproject" for product "Sssd" and version "1.12.4" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Sssd Search vendor "Fedoraproject" for product "Sssd" | 1.12.5 Search vendor "Fedoraproject" for product "Sssd" and version "1.12.5" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Sssd Search vendor "Fedoraproject" for product "Sssd" | 1.13.0 Search vendor "Fedoraproject" for product "Sssd" and version "1.13.0" | - |
Affected
| ||||||