CVE-2022-4254: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2022-4254) was discovered in SSSD's libsss_certmap functionality, specifically affecting the PKINIT authentication process. The vulnerability was introduced in SSSD version 1.15.3 and was fixed in version 2.3.1. PKINIT enables clients to authenticate to the KDC using X.509 certificates instead of traditional authentication methods like passphrases or keytabs (Debian LTS).

The vulnerability exists in the libssscertmap component where certificate data used in LDAP filters is not properly sanitized. The mapping filter is vulnerable to LDAP filter injection, allowing manipulation of search results through values in the certificate. This occurs when mapping rules are used to map certificates presented during PKINIT authentication requests to corresponding principals ([Red Hat Bugzilla](https://bugzilla.redhat.com/showbug.cgi?id=2149894), GitHub Issue).

The vulnerability's impact is severe as it could allow an attacker to influence search results through certificate values, which may be attacker-controlled. In the most extreme case, an attacker could potentially gain control of the admin account, leading to full domain takeover (Debian LTS).

The vulnerability has been fixed in SSSD version 2.3.1. Various distributions have released security updates to address this issue. For example, Debian 10 (Buster) has fixed this in version 1.16.3-3.2+deb10u1, and Red Hat has also released corresponding security updates (Debian LTS, Red Hat Bugzilla).