Bug 1982782 (CVE-2021-3652) - CVE-2021-3652 389-ds-base: CRYPT password hash with asterisk allows any bind attempt to succeed
Summary: CVE-2021-3652 389-ds-base: CRYPT password hash with asterisk allows any bind ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3652
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1981833 1982786 1982787 1982788 1982789 1983121 1993277 2005432
Blocks: 1982754 1983219
TreeView+ depends on / blocked
 
Reported: 2021-07-15 17:12 UTC by Cedric Buissart
Modified: 2022-11-29 04:29 UTC (History)
6 users (show)

Fixed In Version: 389-ds-base 2.0.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.
Clone Of:
Environment:
Last Closed: 2021-08-10 19:28:38 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3079 0 None None None 2021-08-10 13:59:33 UTC
Red Hat Product Errata RHSA-2021:3807 0 None None None 2021-10-12 15:30:43 UTC
Red Hat Product Errata RHSA-2021:3906 0 None None None 2021-10-19 06:53:47 UTC
Red Hat Product Errata RHSA-2021:3955 0 None None None 2021-10-25 06:36:13 UTC

Description Cedric Buissart 2021-07-15 17:12:44 UTC 
It was found that invalid password hashes were not correctly handled by 389-ds-base.

Asterisks, '*', is a method that can be used in NIS database, or /etc/shadow, to disable an account's password. As a result of the flaw, if an LDAP admin imports such an account from a NIS or /etc/shadow database into Directory Server, any password will be valid for that account.

Reference : https://github.com/389ds/389-ds-base/issues/4817
Comment 1 Cedric Buissart 2021-07-15 17:25:29 UTC 
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1982786]
Comment 7 Cedric Buissart 2021-07-28 14:48:23 UTC 
Upstream fix : 
https://github.com/389ds/389-ds-base/commit/aeb90eb0c41fc48541d983f323c627b2e6c328c7
Comment 9 errata-xmlrpc 2021-08-10 13:59:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3079 https://access.redhat.com/errata/RHSA-2021:3079
Comment 10 Product Security DevOps Team 2021-08-10 19:28:38 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3652
Comment 11 errata-xmlrpc 2021-10-12 15:30:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:3807 https://access.redhat.com/errata/RHSA-2021:3807
Comment 12 errata-xmlrpc 2021-10-19 06:53:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3906 https://access.redhat.com/errata/RHSA-2021:3906
Comment 13 errata-xmlrpc 2021-10-25 06:36:12 UTC 
This issue has been addressed in the following products:

  Red Hat Directory Server 11.4 for RHEL 8

Via RHSA-2021:3955 https://access.redhat.com/errata/RHSA-2021:3955
Note You need to log in before you can comment on or make changes to this bug.