Bug 1793071 (CVE-2020-1722) - CVE-2020-1722 ipa: No password length restriction leads to denial of service
Summary: CVE-2020-1722 ipa: No password length restriction leads to denial of service
Keywords:
Status: NEW
Alias: CVE-2020-1722
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1802408 1802409 1823621
Blocks: 1780457
TreeView+ depends on / blocked
 
Reported: 2020-01-20 15:47 UTC by Dhananjay Arunesh
Modified: 2020-05-22 08:52 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in IPA. When sending a very long password (>= 1,000,000 characters) to the server, the password hashing process could exhaust memory and CPU leading to a denial of service and the website becoming unresponsive. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Fedora Pagure freeipa issue 8268 None None None 2020-04-14 07:27:53 UTC

Description Dhananjay Arunesh 2020-01-20 15:47:11 UTC
A vulnerability was found in IPA, where by sending a very long password (1.000.000 characters) it's possible to cause a denial a service attack on the server. This may lead to the website becoming unavailable or unresponsive. Usually, this problem is caused by a vulnerable password hashing implementation. When a long password is sent, the password hashing process will result in CPU and memory exhaustion.

Comment 14 Huzaifa S. Sidhpurwala 2020-04-14 04:27:03 UTC
Acknowledgments:

Name: Pritam Singh (Red Hat)

Comment 15 Huzaifa S. Sidhpurwala 2020-04-14 04:27:35 UTC
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 1823621]

Comment 16 Alexander Bokovoy 2020-04-14 07:27:53 UTC
Link FreeIPA issue 8268 here: https://pagure.io/freeipa/issue/8268 

FreeIPA team agrees with Red Hat Security Response Team assessment that this is a low severity, low priority issue. 
The fix will be merged into FreeIPA upstream but no separate release will be done.


Note You need to log in before you can comment on or make changes to this bug.