Bug 1358865 (CVE-2016-5405)

Summary: CVE-2016-5405 389-ds-base: Password verification vulnerable to timing attack
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: nhosoi, nkinder, rmeggins, security-response-team, wibrown
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that 389 Directory Server was vulnerable to a remote password disclosure via timing attack. A remote attacker could possibly use this flaw to retrieve directory server password after many tries.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-15 19:57:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1358565, 1360974, 1360975, 1360976    
Bug Blocks: 1323912, 1358866    

Description Adam Mariš 2016-07-21 16:10:23 UTC
It was found that 389 Directory Server is vulnerable to a remote password disclosure via timing attack. Due to the use of strcmp and memcmp in the verification of passwords and hashes, remote attacker is able to tell the difference between computation times which makes him able to retrieve the password after many tries.

This affects systems storing passwords in plain text. Systems using unsalted hashes might be unsafe as well if using weak hash algorithms, however the attack would be very time-consuming.

Comment 1 Adam Mariš 2016-07-21 16:10:28 UTC
Acknowledgments:

Name: William Brown (Red Hat)

Comment 11 errata-xmlrpc 2016-11-03 20:44:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2594 https://rhn.redhat.com/errata/RHSA-2016-2594.html

Comment 13 errata-xmlrpc 2016-11-15 19:38:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2765 https://rhn.redhat.com/errata/RHSA-2016-2765.html