#49336 Locked account provides different return code if password is correct
Closed: fixed 2 years ago Opened 2 years ago by firstyear.

The directory server password lockout policy prevents binds from operating once a threshold of failed passwords has been met. During this lockout, if you bind with a successful password, a different error code is returned. This means that an attacker has no ratelimit or penalty during an account lock, and can continue to attempt passwords via bruteforce.

Proof of concept:

ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w
password
dn: uid=testuser,dc=example,dc=com

Bind with invalid credentials a number of times to trigger the lockout:

ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w
passworda
ldap_bind: Invalid credentials (49)

Then bind with valid crendentials while the lockout is in effect:

ldapwhoami -H ldap://localhost -x -D 'uid=testuser,dc=example,dc=com' -w
password 
ldap_bind: Constraint violation (19)
        additional info: Exceed password retry limit. Please try later.

Workaround: Use PBKDF2_SHA256 to delay the rate at which an attacker can attempt binds. Limit the number of threads allowed to anonymous.


Metadata Update from @firstyear:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None

2 years ago

Metadata Update from @firstyear:
- Issue assigned to firstyear
- Issue priority set to: critical
- Issue tagged with: Security

2 years ago

0001-Ticket-49336-SECURITY-Locked-account-provides-differ.patch

Passes all password tests: 28 passed in 165.95 second

Metadata Update from @firstyear:
- Custom field reviewstatus adjusted to review (was: None)

2 years ago

The patch looks good to me. Ack

Metadata Update from @tbordaz:
- Custom field reviewstatus adjusted to ack (was: review)

2 years ago

commit 33db32a
To ssh://git@pagure.io/389-ds-base.git
58c4f95..33db32a master -> master

0001-Ticket-49336-SECURITY-1.2.11.x-Locked-account-provid.patch

I'll need some help testing this one from @vashirov or @spichugi as I have some issues with the 1.2.x env setup :(

0001-Ticket-49336-SECURITY-1.3.5.x-Locked-account-provide.patch

passes the security test.

0001-Ticket-49336-SECURITY-Locked-account-provides-differ.patch

This is the 1.3.6 patch.

Metadata Update from @firstyear:
- Custom field reviewstatus adjusted to review (was: ack)

2 years ago

I'll need some help testing this one from @vashirov or @spichugi as I have some issues with the 1.2.x env setup :(
Test passed for the scratch build:
https://vashirov.fedorapeople.org/share/report-1.2.11.15-92.html

Thanks @vashirov you are a legend.

@tbordaz can you check the backports? Are you okay for me to add these to the listed versions?

Ack on the 1.3.5 & 1.3.6 backport (we need to get the 1.3.6 patch pushed ASAP). And I'm not sure we need to 1.2.11 patch.

Pushed the 1.3.6 patch:

c903f66..95b39e2 389-ds-base-1.3.6 -> 389-ds-base-1.3.6

Thanks @mreynolds I'll push the 1.3.5 and master patches now.

commit 4cce166
To ssh://git@pagure.io/389-ds-base.git
faaa62c..4cce166 389-ds-base-1.3.5 -> 389-ds-base-1.3.5

Metadata Update from @firstyear:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata