Bug 1982782 (CVE-2021-3652)

Summary: CVE-2021-3652 389-ds-base: CRYPT password hash with asterisk allows any bind attempt to succeed
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abokovoy, ldap-maint, mreynolds, spichugi, tbordaz, vashirov
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base 2.0.7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-10 19:28:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1981833, 1982786, 1982787, 1982788, 1982789, 1983121, 1993277, 2005432    
Bug Blocks: 1982754, 1983219    

Description Cedric Buissart 2021-07-15 17:12:44 UTC 
It was found that invalid password hashes were not correctly handled by 389-ds-base.

Asterisks, '*', is a method that can be used in NIS database, or /etc/shadow, to disable an account's password. As a result of the flaw, if an LDAP admin imports such an account from a NIS or /etc/shadow database into Directory Server, any password will be valid for that account.

Reference : https://github.com/389ds/389-ds-base/issues/4817
Comment 1 Cedric Buissart 2021-07-15 17:25:29 UTC 
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1982786]
Comment 7 Cedric Buissart 2021-07-28 14:48:23 UTC 
Upstream fix : 
https://github.com/389ds/389-ds-base/commit/aeb90eb0c41fc48541d983f323c627b2e6c328c7
Comment 9 errata-xmlrpc 2021-08-10 13:59:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3079 https://access.redhat.com/errata/RHSA-2021:3079
Comment 10 Product Security DevOps Team 2021-08-10 19:28:38 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3652
Comment 11 errata-xmlrpc 2021-10-12 15:30:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3807 https://access.redhat.com/errata/RHSA-2021:3807
Comment 12 errata-xmlrpc 2021-10-19 06:53:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3906 https://access.redhat.com/errata/RHSA-2021:3906
Comment 13 errata-xmlrpc 2021-10-25 06:36:12 UTC 
This issue has been addressed in the following products:

  Red Hat Directory Server 11.4 for RHEL 8

Via RHSA-2021:3955 https://access.redhat.com/errata/RHSA-2021:3955