Bug 1905565 (CVE-2020-35518) - CVE-2020-35518 389-ds-base: information disclosure during the binding of a DN
Summary: CVE-2020-35518 389-ds-base: information disclosure during the binding of a DN
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-35518
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1904991 1910941 1918135 1930272 1931182 1946632 1908653 1908705 1923217
Blocks: 1905546 1939997
TreeView+ depends on / blocked
 
Reported: 2020-12-08 14:57 UTC by Cedric Buissart
Modified: 2021-04-13 11:24 UTC (History)
12 users (show)

Fixed In Version: 389-ds-base 2.0.3, 389-ds-base 1.4.4.13, 389-ds-base 1.4.3.19
Doc Type: If docs needed, set a value
Doc Text:
When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.
Clone Of:
Environment:
Last Closed: 2021-04-06 17:35:19 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0599 0 None None None 2021-02-16 18:30:29 UTC

Description Cedric Buissart 2020-12-08 14:57:18 UTC
When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.

Comment 4 Cedric Buissart 2020-12-17 09:31:34 UTC
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1908653]

Comment 12 Salvatore Bonaccorso 2021-01-21 21:59:42 UTC
Hi Cedric,

is there by chance an upstrema reference for this? Was this already fixed?

Regards,
Salvatore

Comment 13 mreynolds 2021-01-21 22:15:29 UTC
(In reply to Salvatore Bonaccorso from comment #12)
> Hi Cedric,
> 
> is there by chance an upstrema reference for this? Was this already fixed?
> 
> Regards,
> Salvatore

This was fixed upstream via: 

https://github.com/389ds/389-ds-base/issues/4480

Comment 14 Salvatore Bonaccorso 2021-01-22 05:23:25 UTC
Hi

(In reply to mreynolds from comment #13)
> (In reply to Salvatore Bonaccorso from comment #12)
> > Hi Cedric,
> > 
> > is there by chance an upstrema reference for this? Was this already fixed?
> > 
> > Regards,
> > Salvatore
> 
> This was fixed upstream via: 
> 
> https://github.com/389ds/389-ds-base/issues/4480

Thank you.

Regards,
Salvatore

Comment 15 Cedric Buissart 2021-01-22 08:14:54 UTC
I am not sure this fix is sufficient.
Last time I checked, I could still deduce the existence of an object without authenticating.

Comment 16 thierry bordaz 2021-01-22 08:25:36 UTC
(In reply to Cedric Buissart from comment #15)
> I am not sure this fix is sufficient.
> Last time I checked, I could still deduce the existence of an object without
> authenticating.

Hi Cedric, I think it is. I answered one of the concern https://bugzilla.redhat.com/show_bug.cgi?id=1904991#c12. Is it the concern your were thinking of when saying the fix is not sufficient ?

Comment 17 errata-xmlrpc 2021-02-16 18:30:27 UTC
This issue has been addressed in the following products:

  Red Hat Directory Server 11.1 for RHEL 8

Via RHSA-2021:0599 https://access.redhat.com/errata/RHSA-2021:0599

Comment 19 errata-xmlrpc 2021-04-06 14:06:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1086 https://access.redhat.com/errata/RHSA-2021:1086

Comment 20 Product Security DevOps Team 2021-04-06 17:35:19 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-35518


Note You need to log in before you can comment on or make changes to this bug.