Bug 1982782 (CVE-2021-3652) - CVE-2021-3652 389-ds-base: CRYPT password hash with asterisk allows any bind attempt to succeed
Summary: CVE-2021-3652 389-ds-base: CRYPT password hash with asterisk allows any bind ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3652
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1982789 1981833 1982786 1982787 1982788 1983121 1993277 2005432
Blocks: 1983219 1982754
TreeView+ depends on / blocked
 
Reported: 2021-07-15 17:12 UTC by Cedric Buissart
Modified: 2021-10-25 06:36 UTC (History)
6 users (show)

Fixed In Version: 389-ds-base 2.0.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.
Clone Of:
Environment:
Last Closed: 2021-08-10 19:28:38 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3079 0 None None None 2021-08-10 13:59:33 UTC
Red Hat Product Errata RHSA-2021:3807 0 None None None 2021-10-12 15:30:43 UTC
Red Hat Product Errata RHSA-2021:3906 0 None None None 2021-10-19 06:53:47 UTC
Red Hat Product Errata RHSA-2021:3955 0 None None None 2021-10-25 06:36:13 UTC

Description Cedric Buissart 2021-07-15 17:12:44 UTC
It was found that invalid password hashes were not correctly handled by 389-ds-base.

Asterisks, '*', is a method that can be used in NIS database, or /etc/shadow, to disable an account's password. As a result of the flaw, if an LDAP admin imports such an account from a NIS or /etc/shadow database into Directory Server, any password will be valid for that account.

Reference : https://github.com/389ds/389-ds-base/issues/4817

Comment 1 Cedric Buissart 2021-07-15 17:25:29 UTC
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1982786]

Comment 9 errata-xmlrpc 2021-08-10 13:59:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3079 https://access.redhat.com/errata/RHSA-2021:3079

Comment 10 Product Security DevOps Team 2021-08-10 19:28:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3652

Comment 11 errata-xmlrpc 2021-10-12 15:30:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3807 https://access.redhat.com/errata/RHSA-2021:3807

Comment 12 errata-xmlrpc 2021-10-19 06:53:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3906 https://access.redhat.com/errata/RHSA-2021:3906

Comment 13 errata-xmlrpc 2021-10-25 06:36:12 UTC
This issue has been addressed in the following products:

  Red Hat Directory Server 11.4 for RHEL 8

Via RHSA-2021:3955 https://access.redhat.com/errata/RHSA-2021:3955


Note You need to log in before you can comment on or make changes to this bug.