Bug 2091781 (CVE-2022-1949)

Summary: CVE-2022-1949 389-ds-base: access control bypass by query (filter in LDAP terms) optimiser
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, emartyny, ldap-maint, mreynolds, spichugi, tbordaz, tmihinto, vashirov, william
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the 389-ds-base package where some LDAP queries can cause performance issues. This flaw allows an attacker to send a non-optimal search that causes serious performance issues within the directory server.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2091787, 2091788, 2091786, 2091790, 2091791, 2091792, 2091793    
Bug Blocks: 2091784    

Description Sandipan Roy 2022-05-31 04:00:00 UTC
mishandling of the filter that would yield incorrect results, but as that has progressed, we have determined that it actually is an access control bypass. This may allow any remote un-authenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.


https://github.com/389ds/389-ds-base/issues/5170

Comment 1 Sandipan Roy 2022-05-31 04:20:31 UTC
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-34 [bug 2091786]
Affects: fedora-35 [bug 2091787]
Affects: fedora-36 [bug 2091788]

Comment 2 William Brown 2022-05-31 04:33:25 UTC
Hi there, thanks for creating this! 

It's worth pointing out that since this was found, we have a working (public) reproducer, and that it may be possible to use this to extract userPassword hashes, private keys, kerberos master keys (freeipa). I think the access complexity may also have dropped as a result of this.

Additionally, this affects all versions of 389-ds from 1.3.x onwards. 

Hope that helps,

There are patches upstream: see: https://github.com/389ds/389-ds-base/issues/5170#issuecomment-1140630971