Bug 2091781 (CVE-2022-1949) - CVE-2022-1949 389-ds-base: access control bypass by query (filter in LDAP terms) optimiser
Summary: CVE-2022-1949 389-ds-base: access control bypass by query (filter in LDAP ter...
Keywords:
Status: NEW
Alias: CVE-2022-1949
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2091787 2091788 2091790 2091792 2091793 2091786 2091791
Blocks: 2091784
TreeView+ depends on / blocked
 
Reported: 2022-05-31 04:00 UTC by Sandipan Roy
Modified: 2022-06-07 08:01 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the 389-ds-base package where some LDAP queries can cause performance issues. This flaw allows an attacker to send a non-optimal search that causes serious performance issues within the directory server.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Sandipan Roy 2022-05-31 04:00:00 UTC
mishandling of the filter that would yield incorrect results, but as that has progressed, we have determined that it actually is an access control bypass. This may allow any remote un-authenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.


https://github.com/389ds/389-ds-base/issues/5170

Comment 1 Sandipan Roy 2022-05-31 04:20:31 UTC
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-34 [bug 2091786]
Affects: fedora-35 [bug 2091787]
Affects: fedora-36 [bug 2091788]

Comment 2 William Brown 2022-05-31 04:33:25 UTC
Hi there, thanks for creating this! 

It's worth pointing out that since this was found, we have a working (public) reproducer, and that it may be possible to use this to extract userPassword hashes, private keys, kerberos master keys (freeipa). I think the access complexity may also have dropped as a result of this.

Additionally, this affects all versions of 389-ds from 1.3.x onwards. 

Hope that helps,

There are patches upstream: see: https://github.com/389ds/389-ds-base/issues/5170#issuecomment-1140630971


Note You need to log in before you can comment on or make changes to this bug.