adamwill / 389-ds-base

Forked from 389-ds-base 4 years ago
Clone
Source Code
GIT

4cce166 Ticket 49336 - SECURITY 1.3.5.x: Locked account provides different return code

Authored and Committed by William Brown 6 years ago
raw patch tree parent
1 file changed. 5 lines added. 4 lines removed.
ldap/servers/slapd/bind.c
file modified
+5 -4 
    Ticket 49336 - SECURITY 1.3.5.x: Locked account provides different return code
    
    Backport to 1.3.5.x
    
    Bug Description:  The directory server password lockout policy prevents binds
     from operating once a threshold of failed passwords has been met. During
     this lockout, if you bind with a successful password, a different error code
     is returned. This means that an attacker has no ratelimit or penalty during
     an account lock, and can continue to attempt passwords via bruteforce, using
     the change in return code to ascertain a sucessful password auth.
    
    Fix Description:  Move the account lock check *before* the password bind
    check. If the account is locked, we do not mind disclosing this as the
    attacker will either ignore it (and will not bind anyway), or they will
    be forced to back off as the attack is not working preventing the
    bruteforce.
    
    https://pagure.io/389-ds-base/issue/49336
    
    Author: wibrown
    
    Review by: mreynolds (thanks)
file modified
+5 -4
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.