Security update for sssd SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:4183-1 Final 1 1 2025-11-24T07:56:37Z current 2025-11-24T07:56:37Z 2025-11-24T07:56:37Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for sssd This update for sssd fixes the following issues: - CVE-2025-11561: Fixed privilege escalation on AD-joined Linux systems due to default Kerberos configuration disabling localauth an2ln plugin (bsc#1251827) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-4183,SUSE-SLE-Module-Basesystem-15-SP7-2025-4183 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20254183-1/ Link for SUSE-SU-2025:4183-1 https://lists.suse.com/pipermail/sle-security-updates/2025-November/023319.html E-Mail link for SUSE-SU-2025:4183-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1251827 SUSE Bug 1251827 https://www.suse.com/security/cve/CVE-2025-11561/ SUSE CVE CVE-2025-11561 page SUSE Linux Enterprise Module for Basesystem 15 SP7 libipa_hbac-devel-2.9.3-150700.9.9.1 libipa_hbac0-2.9.3-150700.9.9.1 libnfsidmap-sss-2.9.3-150700.9.9.1 libsss_certmap-devel-2.9.3-150700.9.9.1 libsss_certmap0-2.9.3-150700.9.9.1 libsss_idmap-devel-2.9.3-150700.9.9.1 libsss_idmap0-2.9.3-150700.9.9.1 libsss_nss_idmap-devel-2.9.3-150700.9.9.1 libsss_nss_idmap0-2.9.3-150700.9.9.1 libsss_simpleifp-devel-2.9.3-150700.9.9.1 libsss_simpleifp0-2.9.3-150700.9.9.1 python3-ipa_hbac-2.9.3-150700.9.9.1 python3-sss-murmur-2.9.3-150700.9.9.1 python3-sss_nss_idmap-2.9.3-150700.9.9.1 python3-sssd-config-2.9.3-150700.9.9.1 sssd-2.9.3-150700.9.9.1 sssd-32bit-2.9.3-150700.9.9.1 sssd-64bit-2.9.3-150700.9.9.1 sssd-ad-2.9.3-150700.9.9.1 sssd-dbus-2.9.3-150700.9.9.1 sssd-ipa-2.9.3-150700.9.9.1 sssd-kcm-2.9.3-150700.9.9.1 sssd-krb5-2.9.3-150700.9.9.1 sssd-krb5-common-2.9.3-150700.9.9.1 sssd-ldap-2.9.3-150700.9.9.1 sssd-proxy-2.9.3-150700.9.9.1 sssd-tools-2.9.3-150700.9.9.1 sssd-winbind-idmap-2.9.3-150700.9.9.1 libipa_hbac-devel-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libipa_hbac0-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libsss_certmap-devel-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libsss_certmap0-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libsss_idmap-devel-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libsss_idmap0-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libsss_nss_idmap-devel-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libsss_nss_idmap0-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libsss_simpleifp-devel-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libsss_simpleifp0-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 python3-sssd-config-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 sssd-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 sssd-32bit-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 sssd-ad-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 sssd-dbus-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 sssd-ipa-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 sssd-kcm-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 sssd-krb5-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 sssd-krb5-common-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 sssd-ldap-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 sssd-proxy-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 sssd-tools-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 sssd-winbind-idmap-2.9.3-150700.9.9.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts. CVE-2025-11561 SUSE Linux Enterprise Module for Basesystem 15 SP7:libipa_hbac-devel-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libipa_hbac0-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libsss_certmap-devel-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libsss_certmap0-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libsss_idmap-devel-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libsss_idmap0-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libsss_nss_idmap-devel-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libsss_nss_idmap0-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libsss_simpleifp-devel-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libsss_simpleifp0-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:python3-sssd-config-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:sssd-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:sssd-32bit-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:sssd-ad-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:sssd-dbus-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:sssd-ipa-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:sssd-kcm-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:sssd-krb5-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:sssd-krb5-common-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:sssd-ldap-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:sssd-proxy-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:sssd-tools-2.9.3-150700.9.9.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:sssd-winbind-idmap-2.9.3-150700.9.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254183-1/ https://www.suse.com/security/cve/CVE-2025-11561.html CVE-2025-11561 https://bugzilla.suse.com/1251827 SUSE Bug 1251827