Bug 1870624

Summary: RHDS - allow more than 1 empty AttributeDescription for ldapsearch, without the risk of denial of service
Product: Red Hat Enterprise Linux 7 Reporter: Rainer Beyel <rbeyel>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.9CC: aadhikar, jachapma, mreynolds, msauton, ofalk, pasik, sgouvern, spichugi, tbordaz, tmihinto, vashirov
Target Milestone: rcKeywords: TestCaseProvided
Target Release: 7.9   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: 389-ds-base-1.3.10.2-7.1.el7_9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-10 13:14:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed patch for spec and source. ofalk: review?

Description Rainer Beyel 2020-08-20 13:34:34 UTC 
Description of problem:
  With RHSA-2018:3127 applied on RHDS, "Cisco Web Security" (Ironport) is no longer able to use RHDS for authentication. The "Cisco Web Security" ldap query contains 3 empty ("") AttributeDescription - with RHSA-2018:3127 applied (from my understanding) only 1 empty AttributeDescription is allowed.

Version-Release number of selected component:
  RHDS 10 with RHSA-2018:3127 applied

How reproducible:
  Configure "Cisco Web Security" to authenticate against RHDS 10

Actual results:
  "Cisco Web Security" is not able to use RHDS for authentication

Expected results:
  "Cisco Web Security" is able to use RHDS for authentication
  Allow multiple (e.g. 3) empty ("") AttributeDescription with ldapsearch on RHDS - without the risk of denial of service

Additional info:
  - https://access.redhat.com/security/cve/CVE-2018-14648
  - https://access.redhat.com/errata/RHSA-2018:3127
  - https://bugzilla.redhat.com/show_bug.cgi?id=1630668

  - ldap error
    "conn=12345678 op=0 SRCH base="dc=xxx,dc=xxx,dc=xxx" scope=2 filter="(&(objectClass=posixAccount)(uid=xxx))", invalid attribute request"

  - Excerpt from tcpdump:
      ...
      protocolOp: searchRequest (3)
      ...
      attributes: 7 items
        AttributeDescription: gecos
        AttributeDescription:
        AttributeDescription:
        AttributeDescription:
        AttributeDescription: memberOf
        AttributeDescription: DN
        AttributeDescription: CN
      ...
Comment 2 Oliver Falk 2020-09-08 13:38:36 UTC 
Created attachment 1714123 [details]
Proposed patch for spec and source.
Comment 13 mreynolds 2020-10-21 22:58:50 UTC 
Reproducer:

Requesting more than 10 empty attributes will result in an error 2 (protocol error)

# ldapsearch -xLLL -b "" -s base cn "" "" "" "" "" "" "" "" "" "" ""
Protocol error (2)

This should succeed:

# ldapsearch -xLLL -b "" -s base cn "" "" "" "" "" "" "" "" "" ""
dn:
Comment 14 Akshay Adhikari 2020-10-23 15:34:47 UTC 
Build tested: 389-ds-base-1.3.10.2-7.1.el7_9.x86_64

# ldapsearch -xLLL -b "" -s base cn "" "" "" "" "" "" "" "" "" "" (max accepted empty value)
dn:

# ldapsearch -xLLL -b "" -s base cn "" "" 
dn:

LDAP server is allowing more than 1 empty AttributeDescription for ldapsearch, marking as VERIFIED.
Comment 16 Akshay Adhikari 2020-10-23 16:14:06 UTC 
Build tested: 389-ds-base-1.3.10.2-7.1.el7_9.x86_64

Requesting more than 10 empty attributes is resulting in error 2 (protocol error)

#ldapsearch -xLLL -b "" -s base cn "" "" "" "" "" "" "" "" "" "" ""
Protocol error (2)
Comment 20 errata-xmlrpc 2020-11-10 13:14:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds-base bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:5041