Bug 1905565 (CVE-2020-35518)

Summary: CVE-2020-35518 389-ds-base: information disclosure during the binding of a DN
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, jachapma, ldap-maint, mreynolds, progier, security-response-team, sgouvern, spichugi, tbordaz, tkubota, tmihinto, vashirov
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base 2.0.3, 389-ds-base 1.4.4.13, 389-ds-base 1.4.3.19 Doc Type: If docs needed, set a value
Doc Text:
When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-06 17:35:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1904991, 1908653, 1908705, 1910941, 1918135, 1923217, 1930272, 1931182, 1946632    
Bug Blocks: 1905546, 1939997    

Description Cedric Buissart 2020-12-08 14:57:18 UTC 
When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.
Comment 4 Cedric Buissart 2020-12-17 09:31:34 UTC 
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1908653]
Comment 12 Salvatore Bonaccorso 2021-01-21 21:59:42 UTC 
Hi Cedric,

is there by chance an upstrema reference for this? Was this already fixed?

Regards,
Salvatore
Comment 13 mreynolds 2021-01-21 22:15:29 UTC 
(In reply to Salvatore Bonaccorso from comment #12)
> Hi Cedric,
> 
> is there by chance an upstrema reference for this? Was this already fixed?
> 
> Regards,
> Salvatore

This was fixed upstream via: 

https://github.com/389ds/389-ds-base/issues/4480
Comment 14 Salvatore Bonaccorso 2021-01-22 05:23:25 UTC 
Hi

(In reply to mreynolds from comment #13)
> (In reply to Salvatore Bonaccorso from comment #12)
> > Hi Cedric,
> > 
> > is there by chance an upstrema reference for this? Was this already fixed?
> > 
> > Regards,
> > Salvatore
> 
> This was fixed upstream via: 
> 
> https://github.com/389ds/389-ds-base/issues/4480

Thank you.

Regards,
Salvatore
Comment 15 Cedric Buissart 2021-01-22 08:14:54 UTC 
I am not sure this fix is sufficient.
Last time I checked, I could still deduce the existence of an object without authenticating.
Comment 16 thierry bordaz 2021-01-22 08:25:36 UTC 
(In reply to Cedric Buissart from comment #15)
> I am not sure this fix is sufficient.
> Last time I checked, I could still deduce the existence of an object without
> authenticating.

Hi Cedric, I think it is. I answered one of the concern https://bugzilla.redhat.com/show_bug.cgi?id=1904991#c12. Is it the concern your were thinking of when saying the fix is not sufficient ?
Comment 17 errata-xmlrpc 2021-02-16 18:30:27 UTC 
This issue has been addressed in the following products:

  Red Hat Directory Server 11.1 for RHEL 8

Via RHSA-2021:0599 https://access.redhat.com/errata/RHSA-2021:0599
Comment 18 Cedric Buissart 2021-02-24 17:17:11 UTC 
List of upstream fixes :
https://github.com/389ds/389-ds-base/commit/cc0f69283abc082488824702dae485b8eae938bc
https://github.com/389ds/389-ds-base/commit/b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32
Comment 19 errata-xmlrpc 2021-04-06 14:06:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1086 https://access.redhat.com/errata/RHSA-2021:1086
Comment 20 Product Security DevOps Team 2021-04-06 17:35:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-35518
Comment 22 errata-xmlrpc 2021-04-19 09:54:28 UTC 
This issue has been addressed in the following products:

  Red Hat Directory Server 11.2 for RHEL 8

Via RHSA-2021:1243 https://access.redhat.com/errata/RHSA-2021:1243
Comment 23 errata-xmlrpc 2021-04-19 15:49:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:1258 https://access.redhat.com/errata/RHSA-2021:1258
Comment 24 errata-xmlrpc 2021-06-08 22:35:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2323 https://access.redhat.com/errata/RHSA-2021:2323