A vulnerability in 389-ds-base was found that allows to bypass limitations for compare and read operations specified by Access Control Instructions. When having LDAP sub-tree with some existing objects and having BIND DN which have no privileges over objects inside the sub-tree, unprivileged user can send LDAP ADD operation specifying an object in (supposedly) inaccessible sub-tree. The returned error messages discloses the information when the queried object exists having the specified value. Attacker can use this flaw to guess values of RDN component by repeating the above process. Upstream commit: https://github.com/389ds/389-ds-base/commit/0b932d4b926d46ac5060f02617330dc444e06da1
Acknowledgments: Name: Petr Spacek (Red Hat), Martin Basti (Red Hat)
Created 389-ds-base tracking bugs for this issue: Affects: fedora-all [bug 1347761] Affects: epel-5 [bug 1347763]
Created attachment 1170018 [details] git patch file (master) -- solves ADD case
(In reply to Adam Mariš from comment #1) > Acknowledgments: > > Name: Petr Spacek (Red Hat) Hi, please add Martin Basti (Red Hat) to Acknowledgments, he was working on the code with me and we have spotted the problem together.
> > Acknowledgments: > > > > Name: Petr Spacek (Red Hat) > > Hi, > > please add Martin Basti (Red Hat) to Acknowledgments, he was working on the > code with me and we have spotted the problem together. Done! --- didn't mean to remove the other needinfo, setting it back
The description should be extended to BIND operation as well.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2594 https://rhn.redhat.com/errata/RHSA-2016-2594.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:2765 https://rhn.redhat.com/errata/RHSA-2016-2765.html