A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.
Weakness
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| 389-ds-base | Port389 | * | 2.0.7 (excluding) |
| Red Hat Directory Server 11.4 for RHEL 8 | RedHat | redhat-ds:11-8050020210920153716.d3df4063 | * |
| Red Hat Enterprise Linux 7 | RedHat | 389-ds-base-0:1.3.10.2-13.el7_9 | * |
| Red Hat Enterprise Linux 8 | RedHat | 389-ds:1.4-8040020210721074904.96015a92 | * |
| Red Hat Enterprise Linux 8.2 Extended Update Support | RedHat | 389-ds:1.4-8020020210819193832.dbc46ba7 | * |
| 389-ds-base | Ubuntu | upstream | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/114.html
- https://cwe.mitre.org/data/definitions/115.html
- https://cwe.mitre.org/data/definitions/151.html
- https://cwe.mitre.org/data/definitions/194.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/57.html
- https://cwe.mitre.org/data/definitions/593.html
- https://cwe.mitre.org/data/definitions/633.html
- https://cwe.mitre.org/data/definitions/650.html
- https://cwe.mitre.org/data/definitions/94.html
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1982782
- https://github.com/389ds/389-ds-base/issues/4817
- https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1982782
- https://github.com/389ds/389-ds-base/issues/4817
- https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00015.html