<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>SSSD - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/sssd/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 10:18:41 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/sssd/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-14474 - SSSD LDAP sudo Provider Privilege Escalation</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14474-sssd-privesc/</link><pubDate>Tue, 07 Jul 2026 10:18:41 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14474-sssd-privesc/</guid><description>A vulnerability in SSSD's LDAP sudo provider, CVE-2026-14474, allows an authenticated attacker to achieve root-level privilege escalation by injecting a malicious sudoRole object into any writable LDAP subtree when the `ldap_sudo_search_base` option is not explicitly configured on SSSD-enrolled Linux hosts.</description><content:encoded><![CDATA[<p>CVE-2026-14474 details a critical flaw within the SSSD (System Security Services Daemon) LDAP sudo provider, identified as having a CVSS v3.1 base score of 8.8. This vulnerability affects Linux systems where SSSD is used to manage sudo privileges via an LDAP directory, specifically when the <code>ldap_sudo_search_base</code> option is not explicitly defined in the SSSD configuration. In such a scenario, SSSD defaults to searching the entire LDAP directory tree for <code>sudoRole</code> objects. An authenticated attacker who possesses write access to <em>any</em> subtree within the LDAP directory can exploit this behavior. By injecting a specially crafted <code>sudoRole</code> object into their writable subtree, the attacker can grant themselves or other controlled accounts root-level sudo privileges on all SSSD-enrolled hosts that retrieve and process these LDAP sudo rules, leading to complete system compromise. This highlights the importance of explicit configuration and proper access controls within LDAP environments integrated with SSSD.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker gains access to a user account within the target LDAP environment.</li>
<li>The attacker identifies that SSSD on target Linux hosts is configured to use the LDAP sudo provider without explicitly setting the <code>ldap_sudo_search_base</code> option.</li>
<li>The attacker leverages their authenticated access to confirm write permissions to <em>any</em> subtree within the LDAP directory, even if it is not the intended or traditional <code>sudoRole</code> search base.</li>
<li>The attacker creates and injects a new, malicious <code>sudoRole</code> object into the writable LDAP subtree. This object is crafted to grant root-level sudo privileges (e.g., <code>ALL=(ALL:ALL) ALL</code>) to a user or group controlled by the attacker.</li>
<li>When a user attempts to execute a command with <code>sudo</code> on an SSSD-enrolled host, SSSD queries the LDAP server for <code>sudoRole</code> objects across the entire directory tree due to the missing <code>ldap_sudo_search_base</code> configuration.</li>
<li>SSSD discovers the attacker's injected <code>sudoRole</code> object during its broad LDAP search and interprets it as a legitimate sudo rule.</li>
<li>SSSD processes the malicious <code>sudoRole</code>, effectively granting the specified attacker-controlled user or group root-level sudo privileges.</li>
<li>The attacker can now execute arbitrary commands with <code>sudo</code> as the root user on any SSSD-enrolled Linux host configured with the vulnerable setup, achieving full system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-14474 results in immediate root-level privilege escalation on all affected Linux hosts configured to use the vulnerable SSSD LDAP sudo provider. This allows the attacker to fully compromise the integrity, confidentiality, and availability of the affected systems. An attacker can exfiltrate sensitive data, install backdoors, deploy malware (e.g., ransomware), or disrupt critical services. The broad scope of <code>sudoRole</code> application means a single malicious injection can affect numerous machines across an enterprise, leading to widespread organizational impact and potential regulatory violations.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update SSSD to the patched version once available to address CVE-2026-14474.</li>
<li>Explicitly configure the <code>ldap_sudo_search_base</code> option in your SSSD configuration files (<code>/etc/sssd/sssd.conf</code>) on all Linux hosts. Define a specific, secure base DN where <code>sudoRole</code> objects are expected, rather than allowing SSSD to search the entire LDAP tree.</li>
<li>Review and restrict write access permissions to all LDAP directory subtrees, ensuring only authorized administrators can modify entries relevant to <code>sudoRole</code> objects.</li>
<li>Regularly audit your LDAP directory for unauthorized or suspicious <code>sudoRole</code> objects that may have been injected.</li>
<li>Monitor <code>sudo</code> logs (e.g., <code>/var/log/secure</code> or journald) for unusual privilege escalation attempts or commands executed by newly privileged users on SSSD-enrolled systems.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>linux</category><category>privilege-escalation</category><category>cve</category><category>vulnerability</category></item></channel></rss>