Bug 2173517 (CVE-2023-1055) - CVE-2023-1055 RHDS: LDAP browser tries to decode userPassword instead of userCertificate attribute
Summary: CVE-2023-1055 RHDS: LDAP browser tries to decode userPassword instead of user...
Keywords:
Status: NEW
Alias: CVE-2023-1055
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2173628 2173629 2173675 2173676 2173829 2173830 2177929 2177930 2178131 2178135 2178157
Blocks: 2173182 2173596
TreeView+ depends on / blocked
 
Reported: 2023-02-27 07:52 UTC by Borja Tarraso
Modified: 2023-08-15 14:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
A flaw was found in RHDS 11 and 12. While browsing entries, LDAP tries to decode the userPassword attribute instead of the userCertificate attribute, which could lead into sensitive information being leaked. This issue could allow an attacker with a local account with cockpit-389-ds running to list processes and display hashed passwords. The highest threat is to data confidentiality.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3489 0 None None None 2023-06-06 13:05:47 UTC
Red Hat Product Errata RHSA-2023:4655 0 None None None 2023-08-15 14:11:52 UTC

Description Borja Tarraso 2023-02-27 07:52:53 UTC
In RHDS 11 and 12 while browsing entries, the LDAP Browser tries to decode a user certificate on the server, but instead of decoding a userCertificate attribute, it tries to decode userPassword attribute. This leaks a hashed password in the process list as an argument.

The possible issue is caused by the showCertificate() function that does the decoding here:
https://github.com/389ds/389-ds-base/blob/c69f2691bb9c3933c1ff3f81139011fc7d66b0aa/src/cockpit/389-console/src/lib/ldap_editor/lib/utils.jsx#L989-L997

This code is present in all versions of RHDS that ship LDAP Browser (12.0, 12.1 and 11.5, 11.6).

Comment 3 Borja Tarraso 2023-02-27 15:42:32 UTC
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-36 [bug 2173675]
Affects: fedora-37 [bug 2173676]

Comment 5 errata-xmlrpc 2023-06-06 13:05:44 UTC
This issue has been addressed in the following products:

  Red Hat Directory Server 12.1 for RHEL 9

Via RHSA-2023:3489 https://access.redhat.com/errata/RHSA-2023:3489

Comment 8 errata-xmlrpc 2023-08-15 14:11:51 UTC
This issue has been addressed in the following products:

  Red Hat Directory Server 11.6 for RHEL 8

Via RHSA-2023:4655 https://access.redhat.com/errata/RHSA-2023:4655


Note You need to log in before you can comment on or make changes to this bug.