{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sssd/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-14476"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SSSD AD GPO provider","Red Hat Enterprise Linux 10","Red Hat Enterprise Linux 7","Red Hat Enterprise Linux 8","Red Hat Enterprise Linux 9","Red Hat OpenShift Container Platform 4"],"_cs_severities":["high"],"_cs_tags":["path-traversal","privilege-escalation","authentication-bypass","kerberos","linux","red-hat","sssd","cve"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eA critical path traversal vulnerability, tracked as CVE-2026-14476, has been identified in the System Security Services Daemon (SSSD) AD GPO provider. This flaw resides within the \u003ccode\u003ead_gpo_extract_smb_components()\u003c/code\u003e function, which fails to properly sanitize \u003ccode\u003e..\u003c/code\u003e sequences embedded within the \u003ccode\u003egPCFileSysPath\u003c/code\u003e LDAP attribute. This oversight enables an attacker, who has already secured Active Directory GPO management privileges, to craft a malicious attribute that directs file writes outside the intended GPO cache directory. Exploitation results in the ability to write arbitrary files as the \u003ccode\u003eroot\u003c/code\u003e user on affected systems. Specifically, on default Red Hat Enterprise Linux (RHEL) configurations with SELinux in enforcing mode, this vulnerability can be leveraged to inject malicious Kerberos configuration, ultimately leading to an authentication bypass, compromising system integrity and access controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains or already possesses valid Active Directory GPO management credentials and access.\u003c/li\u003e\n\u003cli\u003eUsing their GPO management privileges, the attacker modifies the \u003ccode\u003egPCFileSysPath\u003c/code\u003e LDAP attribute to include \u003ccode\u003e..\u003c/code\u003e path traversal sequences.\u003c/li\u003e\n\u003cli\u003eThe crafted \u003ccode\u003egPCFileSysPath\u003c/code\u003e attribute is designed to point to a sensitive system directory outside the normal GPO cache on the target SSSD-managed RHEL system.\u003c/li\u003e\n\u003cli\u003eWhen SSSD's \u003ccode\u003ead_gpo_extract_smb_components()\u003c/code\u003e function processes this attribute, it inadequately sanitizes the \u003ccode\u003e..\u003c/code\u003e sequences, misinterpreting the attacker's intended path.\u003c/li\u003e\n\u003cli\u003eThis allows the attacker to write arbitrary files with \u003ccode\u003eroot\u003c/code\u003e privileges to a chosen location on the affected RHEL system, bypassing normal file system permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious Kerberos configuration file (e.g., within \u003ccode\u003e/etc/krb5.conf.d/\u003c/code\u003e or \u003ccode\u003e/etc/krb5.conf\u003c/code\u003e) into a directory that is processed by the system's Kerberos client.\u003c/li\u003e\n\u003cli\u003eThe injected configuration manipulates Kerberos authentication parameters, potentially redirecting authentication requests or enabling compromise of Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eThis manipulation leads to an authentication bypass, granting the attacker unauthorized access or elevated privileges on the SSSD-managed RHEL system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14476 grants an authenticated attacker (with AD GPO management access) the ability to achieve arbitrary file write as root on targeted Red Hat Enterprise Linux systems. This level of access allows for critical system compromise, including the injection of malicious Kerberos configurations that can lead to a full authentication bypass. The consequence is a complete compromise of system integrity, confidentiality, and availability, enabling unauthorized access to sensitive data and critical system functions. Organizations relying on SSSD for Active Directory integration on RHEL are at risk, with potential for widespread compromise if AD GPO management systems are breached.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-14476 by applying the latest security updates provided by Red Hat for SSSD to all affected Red Hat Enterprise Linux and OpenShift Container Platform installations.\u003c/li\u003e\n\u003cli\u003eReview and restrict Active Directory GPO management access to only necessary administrative accounts, following the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual file creation or modification events in sensitive system directories (e.g., \u003ccode\u003e/etc/krb5.conf\u003c/code\u003e, \u003ccode\u003e/etc/krb5.conf.d/\u003c/code\u003e) on SSSD-managed RHEL systems.\u003c/li\u003e\n\u003cli\u003eImplement host-based intrusion detection systems to alert on unexpected changes to Kerberos configuration files or attempts to write files outside standard GPO cache locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T10:19:46Z","date_published":"2026-07-07T10:19:46Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14476-sssd-path-traversal/","summary":"A path traversal vulnerability (CVE-2026-14476) in SSSD's Active Directory Group Policy Object (AD GPO) provider allows an authenticated attacker with AD GPO management access to write arbitrary files outside the GPO cache directory with root privileges, leading to Kerberos configuration injection and potential authentication bypass on Red Hat Enterprise Linux systems.","title":"CVE-2026-14476: SSSD AD GPO Provider Path Traversal to Root File Write and Authentication Bypass","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14476-sssd-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Sssd","version":"https://jsonfeed.org/version/1.1"}