Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-65664

LDAP unprotected search query during certificate based authentication

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-9.6
    • None
    • 389-ds-base
    • No
    • Low
    • rhel-sst-idm-ds
    • 0
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      During certificate based client authentication, certmap may be configured to use the user cert's subjectDN to look for a match. The SubjectDN is however not protected and may be used to sabotage the search.

      In certain circumstances, it may prevent certificate to properly authenticate (e.g.: if subjectDN contains a legitimate `*`, it might match several users, and not authenticate at all).

      This is not considered a security flaw, since it still requires a trusted CA to have signed the certificate.

      Version-Release number of selected component (if applicable): all

      How reproducible: 100%

      Steps to Reproduce:
      1. enable cert based auth, and configure certmap so that it uses the subject to match.
      e.g.:

      ```
      default:CmapLdapAttr nsCertSubjectDN
      ```
      2. Create a user with a `nsCertSubjectDN`
      3. Create a certificate with a subject containing a `*`

      Actual results:

      The certificate will match against the user

      Expected results:

      No match, since the subject is actually different.

      Additional info:

      Lines 775 & 778

      ```c
      748 static int
      749 ldapu_cert_searchfn_default(void *cert, LDAP *ld, void *certmap_info_in, const char *basedn, const char *dn, const char *filter, const char **attrs, LDAP Message ***res)
      750 {
      751 int rv = LDAPU_FAILED;
      752 const char *ldapdn;
      753 LDAPUCertMapInfo_t *certmap_info = (LDAPUCertMapInfo_t *)certmap_info_in;
      754 LDAPMessage *single_res = NULL;
      755 LDAPMessage **multiple_res = NULL;
      756
      757
      758 if (certmap_info && certmap_info->searchAttr) {
      759 char *subjectDN = 0;
      760 char *certFilter = 0;
      761 int len;
      762
      763 rv = ldapu_get_cert_subject_dn(cert, &subjectDN);
      764
      765 if (rv != LDAPU_SUCCESS || !subjectDN)

      { 766 return rv; 767 }

      768 len = strlen(certmap_info->searchAttr) + strlen(subjectDN) +
      769 strlen("=") + 1;
      770 certFilter = (char *)ldapu_malloc(len * sizeof(char));
      771 if (!certFilter)

      { 772 free(subjectDN); 773 return LDAPU_ERR_OUT_OF_MEMORY; 774 }

      775 sprintf(certFilter, "%s=%s", certmap_info->searchAttr, subjectDN); // <= The Filter doesn't protect subjectDN
      776 free(subjectDN);
      777 if (ldapu_strcasecmp(basedn, "")) {
      778 rv = ldapu_find(ld, basedn, LDAP_SCOPE_SUBTREE, certFilter, attrs, 0, &single_res);
      779 ldapu_free((void *)certFilter);
      780 if (rv == LDAPU_SUCCESS || rv == LDAPU_ERR_MULTIPLE_MATCHES) {
      ```

              idm-ds-dev-bugs IdM DS Dev
              rhn-support-cbuissar Cedric Buissart
              IdM DS Dev IdM DS Dev
              IdM DS QE IdM DS QE
              Evgenia Martyniuk Evgenia Martyniuk
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: