2091781 – (CVE-2022-1949) CVE-2022-1949 389-ds-base: access control bypass by query (filter in LDAP terms) optimiser

Bug 2091781 (CVE-2022-1949) - CVE-2022-1949 389-ds-base: access control bypass by query (filter in LDAP terms) optimiser

Summary: CVE-2022-1949 389-ds-base: access control bypass by query (filter in LDAP ter...

Keywords:
Status:	NEW
Alias:	CVE-2022-1949
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2091786 2091787 2091788 Red Hat2091790 Red Hat2091791 Red Hat2091792 Red Hat2091793
Blocks:	Embargoed2091784
TreeView+	depends on / blocked

Reported:	2022-05-31 04:00 UTC by Sandipan Roy
Modified:	2023-03-03 01:02 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the 389-ds-base package where some LDAP queries can cause performance issues. This flaw allows an attacker to send a non-optimal search that causes serious performance issues within the directory server.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)

Description Sandipan Roy 2022-05-31 04:00:00 UTC

mishandling of the filter that would yield incorrect results, but as that has progressed, we have determined that it actually is an access control bypass. This may allow any remote un-authenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.


https://github.com/389ds/389-ds-base/issues/5170

Comment 1 Sandipan Roy 2022-05-31 04:20:31 UTC

Created 389-ds-base tracking bugs for this issue:

Affects: fedora-34 [bug 2091786]
Affects: fedora-35 [bug 2091787]
Affects: fedora-36 [bug 2091788]

Comment 2 William Brown 2022-05-31 04:33:25 UTC

Hi there, thanks for creating this! 

It's worth pointing out that since this was found, we have a working (public) reproducer, and that it may be possible to use this to extract userPassword hashes, private keys, kerberos master keys (freeipa). I think the access complexity may also have dropped as a result of this.

Additionally, this affects all versions of 389-ds from 1.3.x onwards. 

Hope that helps,

There are patches upstream: see: https://github.com/389ds/389-ds-base/issues/5170#issuecomment-1140630971

Note You need to log in before you can comment on or make changes to this bug.