Bug 1525628 (CVE-2017-15135) - CVE-2017-15135 389-ds-base: Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c
Summary: CVE-2017-15135 389-ds-base: Authentication bypass due to lack of size check i...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-15135
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1535538 1535539 1544415 1544416
Blocks: 1525629
TreeView+ depends on / blocked
 
Reported: 2017-12-13 18:07 UTC by Pedro Sampaio
Modified: 2021-03-11 16:38 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that 389-ds-base did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass the authentication process under very rare and specific circumstances.
Clone Of:
Environment:
Last Closed: 2019-07-12 13:04:35 UTC
Embargoed:


Attachments (Terms of Use)
Updated patch based on tbordaz's comments (10.87 KB, patch)
2018-01-19 01:01 UTC, wibrown@redhat.com
no flags Details | Diff
1.3.6 backport of patch (14.37 KB, patch)
2018-01-30 00:20 UTC, wibrown@redhat.com
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0414 0 normal SHIPPED_LIVE Important: 389-ds-base security and bug fix update 2018-03-07 02:46:53 UTC
Red Hat Product Errata RHSA-2018:0515 0 normal SHIPPED_LIVE Important: 389-ds-base security update 2018-03-13 22:36:35 UTC

Description Pedro Sampaio 2017-12-13 18:07:34 UTC
A flaw was found in 389-ds-base that was introduced after CVE-2016-5405 fix. A lack of size check in slapi_ct_memcmp() function may lead to authentication bypass through pre-hashed userPassword attributes under highly specific circumstances.

Comment 1 Pedro Sampaio 2017-12-13 18:07:39 UTC
Acknowledgments:

Name: Martin Poole (Red Hat)

Comment 17 errata-xmlrpc 2018-03-06 21:43:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0414 https://access.redhat.com/errata/RHSA-2018:0414

Comment 18 errata-xmlrpc 2018-03-13 18:26:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:0515 https://access.redhat.com/errata/RHSA-2018:0515

Comment 20 Product Security DevOps Team 2019-07-12 13:04:35 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-15135


Note You need to log in before you can comment on or make changes to this bug.