Security update for sssd SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:4247-1 Final 1 1 2025-11-26T08:56:55Z current 2025-11-26T08:56:55Z 2025-11-26T08:56:55Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for sssd This update for sssd fixes the following issues: - CVE-2025-11561: Fixed privilege escalation on AD-joined Linux systems due to default Kerberos configuration disabling localauth an2ln plugin (bsc#1251827) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-4247,SUSE-SLE-Module-Basesystem-15-SP6-2025-4247,openSUSE-SLE-15.6-2025-4247 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20254247-1/ Link for SUSE-SU-2025:4247-1 https://lists.suse.com/pipermail/sle-security-updates/2025-November/023368.html E-Mail link for SUSE-SU-2025:4247-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1251827 SUSE Bug 1251827 https://www.suse.com/security/cve/CVE-2025-11561/ SUSE CVE CVE-2025-11561 page SUSE Linux Enterprise Module for Basesystem 15 SP6 openSUSE Leap 15.6 libipa_hbac-devel-2.9.3-150600.3.28.1 libipa_hbac0-2.9.3-150600.3.28.1 libnfsidmap-sss-2.9.3-150600.3.28.1 libsss_certmap-devel-2.9.3-150600.3.28.1 libsss_certmap0-2.9.3-150600.3.28.1 libsss_idmap-devel-2.9.3-150600.3.28.1 libsss_idmap0-2.9.3-150600.3.28.1 libsss_nss_idmap-devel-2.9.3-150600.3.28.1 libsss_nss_idmap0-2.9.3-150600.3.28.1 libsss_simpleifp-devel-2.9.3-150600.3.28.1 libsss_simpleifp0-2.9.3-150600.3.28.1 python3-ipa_hbac-2.9.3-150600.3.28.1 python3-sss-murmur-2.9.3-150600.3.28.1 python3-sss_nss_idmap-2.9.3-150600.3.28.1 python3-sssd-config-2.9.3-150600.3.28.1 sssd-2.9.3-150600.3.28.1 sssd-32bit-2.9.3-150600.3.28.1 sssd-64bit-2.9.3-150600.3.28.1 sssd-ad-2.9.3-150600.3.28.1 sssd-dbus-2.9.3-150600.3.28.1 sssd-ipa-2.9.3-150600.3.28.1 sssd-kcm-2.9.3-150600.3.28.1 sssd-krb5-2.9.3-150600.3.28.1 sssd-krb5-common-2.9.3-150600.3.28.1 sssd-ldap-2.9.3-150600.3.28.1 sssd-proxy-2.9.3-150600.3.28.1 sssd-tools-2.9.3-150600.3.28.1 sssd-winbind-idmap-2.9.3-150600.3.28.1 libipa_hbac-devel-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libipa_hbac0-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libsss_certmap-devel-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libsss_certmap0-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libsss_idmap-devel-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libsss_idmap0-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libsss_nss_idmap-devel-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libsss_nss_idmap0-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libsss_simpleifp-devel-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libsss_simpleifp0-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 python3-sssd-config-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 sssd-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 sssd-32bit-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 sssd-ad-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 sssd-dbus-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 sssd-ipa-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 sssd-kcm-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 sssd-krb5-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 sssd-krb5-common-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 sssd-ldap-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 sssd-proxy-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 sssd-tools-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 sssd-winbind-idmap-2.9.3-150600.3.28.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libipa_hbac-devel-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 libipa_hbac0-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 libnfsidmap-sss-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 libsss_certmap-devel-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 libsss_certmap0-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 libsss_idmap-devel-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 libsss_idmap0-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 libsss_nss_idmap-devel-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 libsss_nss_idmap0-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 libsss_simpleifp-devel-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 libsss_simpleifp0-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 python3-ipa_hbac-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 python3-sss-murmur-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 python3-sss_nss_idmap-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 python3-sssd-config-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 sssd-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 sssd-32bit-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 sssd-ad-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 sssd-dbus-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 sssd-ipa-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 sssd-kcm-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 sssd-krb5-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 sssd-krb5-common-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 sssd-ldap-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 sssd-proxy-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 sssd-tools-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 sssd-winbind-idmap-2.9.3-150600.3.28.1 as a component of openSUSE Leap 15.6 A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts. CVE-2025-11561 SUSE Linux Enterprise Module for Basesystem 15 SP6:libipa_hbac-devel-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libipa_hbac0-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libsss_certmap-devel-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libsss_certmap0-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libsss_idmap-devel-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libsss_idmap0-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libsss_nss_idmap-devel-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libsss_nss_idmap0-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libsss_simpleifp-devel-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libsss_simpleifp0-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:python3-sssd-config-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:sssd-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:sssd-32bit-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:sssd-ad-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:sssd-dbus-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:sssd-ipa-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:sssd-kcm-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:sssd-krb5-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:sssd-krb5-common-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:sssd-ldap-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:sssd-proxy-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:sssd-tools-2.9.3-150600.3.28.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:sssd-winbind-idmap-2.9.3-150600.3.28.1 openSUSE Leap 15.6:libipa_hbac-devel-2.9.3-150600.3.28.1 openSUSE Leap 15.6:libipa_hbac0-2.9.3-150600.3.28.1 openSUSE Leap 15.6:libnfsidmap-sss-2.9.3-150600.3.28.1 openSUSE Leap 15.6:libsss_certmap-devel-2.9.3-150600.3.28.1 openSUSE Leap 15.6:libsss_certmap0-2.9.3-150600.3.28.1 openSUSE Leap 15.6:libsss_idmap-devel-2.9.3-150600.3.28.1 openSUSE Leap 15.6:libsss_idmap0-2.9.3-150600.3.28.1 openSUSE Leap 15.6:libsss_nss_idmap-devel-2.9.3-150600.3.28.1 openSUSE Leap 15.6:libsss_nss_idmap0-2.9.3-150600.3.28.1 openSUSE Leap 15.6:libsss_simpleifp-devel-2.9.3-150600.3.28.1 openSUSE Leap 15.6:libsss_simpleifp0-2.9.3-150600.3.28.1 openSUSE Leap 15.6:python3-ipa_hbac-2.9.3-150600.3.28.1 openSUSE Leap 15.6:python3-sss-murmur-2.9.3-150600.3.28.1 openSUSE Leap 15.6:python3-sss_nss_idmap-2.9.3-150600.3.28.1 openSUSE Leap 15.6:python3-sssd-config-2.9.3-150600.3.28.1 openSUSE Leap 15.6:sssd-2.9.3-150600.3.28.1 openSUSE Leap 15.6:sssd-32bit-2.9.3-150600.3.28.1 openSUSE Leap 15.6:sssd-ad-2.9.3-150600.3.28.1 openSUSE Leap 15.6:sssd-dbus-2.9.3-150600.3.28.1 openSUSE Leap 15.6:sssd-ipa-2.9.3-150600.3.28.1 openSUSE Leap 15.6:sssd-kcm-2.9.3-150600.3.28.1 openSUSE Leap 15.6:sssd-krb5-2.9.3-150600.3.28.1 openSUSE Leap 15.6:sssd-krb5-common-2.9.3-150600.3.28.1 openSUSE Leap 15.6:sssd-ldap-2.9.3-150600.3.28.1 openSUSE Leap 15.6:sssd-proxy-2.9.3-150600.3.28.1 openSUSE Leap 15.6:sssd-tools-2.9.3-150600.3.28.1 openSUSE Leap 15.6:sssd-winbind-idmap-2.9.3-150600.3.28.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20254247-1/ https://www.suse.com/security/cve/CVE-2025-11561.html CVE-2025-11561 https://bugzilla.suse.com/1251827 SUSE Bug 1251827