{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/sssd/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-14474"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SSSD LDAP sudo provider"],"_cs_severities":["high"],"_cs_tags":["linux","privilege-escalation","cve","vulnerability"],"_cs_type":"advisory","_cs_vendors":["SSSD"],"content_html":"\u003cp\u003eCVE-2026-14474 details a critical flaw within the SSSD (System Security Services Daemon) LDAP sudo provider, identified as having a CVSS v3.1 base score of 8.8. This vulnerability affects Linux systems where SSSD is used to manage sudo privileges via an LDAP directory, specifically when the \u003ccode\u003eldap_sudo_search_base\u003c/code\u003e option is not explicitly defined in the SSSD configuration. In such a scenario, SSSD defaults to searching the entire LDAP directory tree for \u003ccode\u003esudoRole\u003c/code\u003e objects. An authenticated attacker who possesses write access to \u003cem\u003eany\u003c/em\u003e subtree within the LDAP directory can exploit this behavior. By injecting a specially crafted \u003ccode\u003esudoRole\u003c/code\u003e object into their writable subtree, the attacker can grant themselves or other controlled accounts root-level sudo privileges on all SSSD-enrolled hosts that retrieve and process these LDAP sudo rules, leading to complete system compromise. This highlights the importance of explicit configuration and proper access controls within LDAP environments integrated with SSSD.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker gains access to a user account within the target LDAP environment.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies that SSSD on target Linux hosts is configured to use the LDAP sudo provider without explicitly setting the \u003ccode\u003eldap_sudo_search_base\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their authenticated access to confirm write permissions to \u003cem\u003eany\u003c/em\u003e subtree within the LDAP directory, even if it is not the intended or traditional \u003ccode\u003esudoRole\u003c/code\u003e search base.\u003c/li\u003e\n\u003cli\u003eThe attacker creates and injects a new, malicious \u003ccode\u003esudoRole\u003c/code\u003e object into the writable LDAP subtree. This object is crafted to grant root-level sudo privileges (e.g., \u003ccode\u003eALL=(ALL:ALL) ALL\u003c/code\u003e) to a user or group controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eWhen a user attempts to execute a command with \u003ccode\u003esudo\u003c/code\u003e on an SSSD-enrolled host, SSSD queries the LDAP server for \u003ccode\u003esudoRole\u003c/code\u003e objects across the entire directory tree due to the missing \u003ccode\u003eldap_sudo_search_base\u003c/code\u003e configuration.\u003c/li\u003e\n\u003cli\u003eSSSD discovers the attacker's injected \u003ccode\u003esudoRole\u003c/code\u003e object during its broad LDAP search and interprets it as a legitimate sudo rule.\u003c/li\u003e\n\u003cli\u003eSSSD processes the malicious \u003ccode\u003esudoRole\u003c/code\u003e, effectively granting the specified attacker-controlled user or group root-level sudo privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker can now execute arbitrary commands with \u003ccode\u003esudo\u003c/code\u003e as the root user on any SSSD-enrolled Linux host configured with the vulnerable setup, achieving full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14474 results in immediate root-level privilege escalation on all affected Linux hosts configured to use the vulnerable SSSD LDAP sudo provider. This allows the attacker to fully compromise the integrity, confidentiality, and availability of the affected systems. An attacker can exfiltrate sensitive data, install backdoors, deploy malware (e.g., ransomware), or disrupt critical services. The broad scope of \u003ccode\u003esudoRole\u003c/code\u003e application means a single malicious injection can affect numerous machines across an enterprise, leading to widespread organizational impact and potential regulatory violations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update SSSD to the patched version once available to address CVE-2026-14474.\u003c/li\u003e\n\u003cli\u003eExplicitly configure the \u003ccode\u003eldap_sudo_search_base\u003c/code\u003e option in your SSSD configuration files (\u003ccode\u003e/etc/sssd/sssd.conf\u003c/code\u003e) on all Linux hosts. Define a specific, secure base DN where \u003ccode\u003esudoRole\u003c/code\u003e objects are expected, rather than allowing SSSD to search the entire LDAP tree.\u003c/li\u003e\n\u003cli\u003eReview and restrict write access permissions to all LDAP directory subtrees, ensuring only authorized administrators can modify entries relevant to \u003ccode\u003esudoRole\u003c/code\u003e objects.\u003c/li\u003e\n\u003cli\u003eRegularly audit your LDAP directory for unauthorized or suspicious \u003ccode\u003esudoRole\u003c/code\u003e objects that may have been injected.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003esudo\u003c/code\u003e logs (e.g., \u003ccode\u003e/var/log/secure\u003c/code\u003e or journald) for unusual privilege escalation attempts or commands executed by newly privileged users on SSSD-enrolled systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T10:18:41Z","date_published":"2026-07-07T10:18:41Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14474-sssd-privesc/","summary":"A vulnerability in SSSD's LDAP sudo provider, CVE-2026-14474, allows an authenticated attacker to achieve root-level privilege escalation by injecting a malicious sudoRole object into any writable LDAP subtree when the `ldap_sudo_search_base` option is not explicitly configured on SSSD-enrolled Linux hosts.","title":"CVE-2026-14474 - SSSD LDAP sudo Provider Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14474-sssd-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed - SSSD","version":"https://jsonfeed.org/version/1.1"}