1905565 – (CVE-2020-35518) CVE-2020-35518 389-ds-base: information disclosure during the binding of a DN

Bug 1905565 (CVE-2020-35518) - CVE-2020-35518 389-ds-base: information disclosure during the binding of a DN

Summary: CVE-2020-35518 389-ds-base: information disclosure during the binding of a DN

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-35518
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1904991 1908653 1908705 1910941 1918135 1923217 1930272 1931182 1946632
Blocks:	1905546 1939997
TreeView+	depends on / blocked

Reported:	2020-12-08 14:57 UTC by Cedric Buissart
Modified:	2022-04-17 21:04 UTC (History)
CC List:	12 users (show)
Fixed In Version:	389-ds-base 2.0.3, 389-ds-base 1.4.4.13, 389-ds-base 1.4.3.19
Doc Type:	If docs needed, set a value
Doc Text:	When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.
Clone Of:
Environment:
Last Closed:	2021-04-06 17:35:19 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:0599	0	None	None	None	2021-02-16 18:30:29 UTC
Red Hat Product Errata	RHSA-2021:2323	0	None	None	None	2021-06-08 22:35:50 UTC

Description Cedric Buissart 2020-12-08 14:57:18 UTC

When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.

Comment 4 Cedric Buissart 2020-12-17 09:31:34 UTC

Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1908653]

Comment 12 Salvatore Bonaccorso 2021-01-21 21:59:42 UTC

Hi Cedric,

is there by chance an upstrema reference for this? Was this already fixed?

Regards,
Salvatore

Comment 13 mreynolds 2021-01-21 22:15:29 UTC

(In reply to Salvatore Bonaccorso from comment #12)
> Hi Cedric,
> 
> is there by chance an upstrema reference for this? Was this already fixed?
> 
> Regards,
> Salvatore

This was fixed upstream via: 

https://github.com/389ds/389-ds-base/issues/4480

Comment 14 Salvatore Bonaccorso 2021-01-22 05:23:25 UTC

Hi

(In reply to mreynolds from comment #13)
> (In reply to Salvatore Bonaccorso from comment #12)
> > Hi Cedric,
> > 
> > is there by chance an upstrema reference for this? Was this already fixed?
> > 
> > Regards,
> > Salvatore
> 
> This was fixed upstream via: 
> 
> https://github.com/389ds/389-ds-base/issues/4480

Thank you.

Regards,
Salvatore

Comment 15 Cedric Buissart 2021-01-22 08:14:54 UTC

I am not sure this fix is sufficient.
Last time I checked, I could still deduce the existence of an object without authenticating.

Comment 16 thierry bordaz 2021-01-22 08:25:36 UTC

(In reply to Cedric Buissart from comment #15)
> I am not sure this fix is sufficient.
> Last time I checked, I could still deduce the existence of an object without
> authenticating.

Hi Cedric, I think it is. I answered one of the concern https://bugzilla.redhat.com/show_bug.cgi?id=1904991#c12. Is it the concern your were thinking of when saying the fix is not sufficient ?

Comment 17 errata-xmlrpc 2021-02-16 18:30:27 UTC

This issue has been addressed in the following products:

  Red Hat Directory Server 11.1 for RHEL 8

Via RHSA-2021:0599 https://access.redhat.com/errata/RHSA-2021:0599

Comment 18 Cedric Buissart 2021-02-24 17:17:11 UTC

List of upstream fixes :
https://github.com/389ds/389-ds-base/commit/cc0f69283abc082488824702dae485b8eae938bc
https://github.com/389ds/389-ds-base/commit/b6aae4d8e7c8a6ddd21646f94fef1bf7f22c3f32

Comment 19 errata-xmlrpc 2021-04-06 14:06:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1086 https://access.redhat.com/errata/RHSA-2021:1086

Comment 20 Product Security DevOps Team 2021-04-06 17:35:19 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-35518

Comment 22 errata-xmlrpc 2021-04-19 09:54:28 UTC

This issue has been addressed in the following products:

  Red Hat Directory Server 11.2 for RHEL 8

Via RHSA-2021:1243 https://access.redhat.com/errata/RHSA-2021:1243

Comment 23 errata-xmlrpc 2021-04-19 15:49:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:1258 https://access.redhat.com/errata/RHSA-2021:1258

Comment 24 errata-xmlrpc 2021-06-08 22:35:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2323 https://access.redhat.com/errata/RHSA-2021:2323

Note You need to log in before you can comment on or make changes to this bug.