Bug 1793071 (CVE-2020-1722)

Summary: CVE-2020-1722 ipa: No password length restriction leads to denial of service
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abokovoy, contribs, frenaud, ipa-maint, jcholast, jhrozek, mkosek, pcech, pvoborni, rcritten, security-response-team, ssorce, tscherf, twoerner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in IPA. When sending a very long password (>= 1,000,000 characters) to the server, the password hashing process could exhaust memory and CPU leading to a denial of service and the website becoming unresponsive. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 21:59:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1802408, 1802409, 1823621    
Bug Blocks: 1780457    

Description Dhananjay Arunesh 2020-01-20 15:47:11 UTC 
A vulnerability was found in IPA, where by sending a very long password (1.000.000 characters) it's possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually, this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing process will result in CPU and memory exhaustion.
Comment 14 Huzaifa S. Sidhpurwala 2020-04-14 04:27:03 UTC 
Acknowledgments:

Name: Pritam Singh (Red Hat)
Comment 15 Huzaifa S. Sidhpurwala 2020-04-14 04:27:35 UTC 
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 1823621]
Comment 16 Alexander Bokovoy 2020-04-14 07:27:53 UTC 
Link FreeIPA issue 8268 here: https://pagure.io/freeipa/issue/8268 

FreeIPA team agrees with Red Hat Security Response Team assessment that this is a low severity, low priority issue. 
The fix will be merged into FreeIPA upstream but no separate release will be done.
Comment 17 errata-xmlrpc 2020-09-29 19:57:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3936 https://access.redhat.com/errata/RHSA-2020:3936
Comment 18 Product Security DevOps Team 2020-09-29 21:59:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1722
Comment 19 errata-xmlrpc 2020-11-04 02:49:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4670 https://access.redhat.com/errata/RHSA-2020:4670