Bug 1199889 (CVE-2022-1949) - VUL-0: CVE-2022-1949: 389-ds: access control bypass
Summary: VUL-0: CVE-2022-1949: 389-ds: access control bypass
Status: RESOLVED FIXED
Alias: CVE-2022-1949
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: William Brown
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/332883/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-1949:9.1:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-25 06:39 UTC by William Brown
Modified: 2024-05-24 10:39 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description William Brown 2022-05-25 06:39:29 UTC 
Using a specially crafted query (filter) against 389-ds as any user (including anonymous) it may be possible to bypass access controls. This can lead to potentially sensitive information disclosure.

This occurs due to an issue with filter evaluation taking a shortcut path that skip access control evaluation in some cases. 

This was discovered by accident as part of work to improve query performance. Initially it was thought to just be a "quality" fix due to the potential for queries to yield incorrect results, but it appears to be infact a security issue as entries can be returned where access is not granted.


An example query (thanks to Flo from the FreeIPA project) is. There was an incorrect aci in place that did not allow reading of these values, meaning that there should have been no result for idnsserverid.

"(|(objectClass=idnsConfigObject)(&(objectClass=idnsServerConfigObject)(idnsServerId=server.ipa.test)))"


dn: cn=dns,dc=ipa,dc=test
objectClass: idnsConfigObject
objectClass: nsContainer
objectClass: ipaConfigObject
objectClass: ipaDNSContainer
objectClass: top
cn: dns
ipaConfigString: DNSVersion 1
ipaDNSVersion: 2

dn: idnsserverid=server.ipa.test,cn=servers,cn=dns,dc=ipa,dc=test
idnsServerId: server.ipa.test
idnsSOAmName: server.ipa.test.
objectClass: top
objectClass: idnsServerConfigObject
idnsForwarders: 10.2.32.1
idnsForwardPolicy: only


The query was internally transformed and due to a shortcut condition the second entry was incorrectly returned when access was not provided for it.

The fix already exists as part of 5170 and it's query optimisation work. 

From my reading of the code, this has existed since at least 1.3.x of 389-ds, meaning that 1.4.x and 2.x are all affected. 


Upstream PR https://github.com/389ds/389-ds-base/issues/5170
Comment 1 Marcus Meissner 2022-05-25 07:07:03 UTC 
did anyone request a CVE yet?
Comment 4 William Brown 2022-05-31 04:18:53 UTC 
Issue has been assigned a CVE.

CVE-2022-1949
CVSSv3: 7.4/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Redhat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2091781
Comment 8 OBSbugzilla Bot 2022-05-31 06:40:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1199889) was mentioned in
https://build.opensuse.org/request/show/979985 Factory / 389-ds
Comment 12 Swamp Workflow Management 2022-06-14 22:28:31 UTC 
SUSE-SU-2022:2081-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1195324,1199889
CVE References: CVE-2021-4091,CVE-2022-1949
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    389-ds-1.4.4.19~git38.9951c1101-150300.3.17.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    389-ds-1.4.4.19~git38.9951c1101-150300.3.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-06-16 19:30:26 UTC 
SUSE-SU-2022:2105-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1195324,1199889
CVE References: CVE-2021-4091,CVE-2022-1949
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    389-ds-1.4.3.30~git2.ca761af4b-150200.3.29.1
SUSE Manager Retail Branch Server 4.1 (src):    389-ds-1.4.3.30~git2.ca761af4b-150200.3.29.1
SUSE Manager Proxy 4.1 (src):    389-ds-1.4.3.30~git2.ca761af4b-150200.3.29.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    389-ds-1.4.3.30~git2.ca761af4b-150200.3.29.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    389-ds-1.4.3.30~git2.ca761af4b-150200.3.29.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    389-ds-1.4.3.30~git2.ca761af4b-150200.3.29.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    389-ds-1.4.3.30~git2.ca761af4b-150200.3.29.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    389-ds-1.4.3.30~git2.ca761af4b-150200.3.29.1
SUSE Enterprise Storage 7 (src):    389-ds-1.4.3.30~git2.ca761af4b-150200.3.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-06-16 19:31:51 UTC 
SUSE-SU-2022:2109-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1188455,1195324,1199889
CVE References: CVE-2021-3652,CVE-2021-4091,CVE-2022-1949
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    389-ds-1.4.0.31~git15.8b9843b0b-150000.4.27.1
SUSE Linux Enterprise Server 15-LTSS (src):    389-ds-1.4.0.31~git15.8b9843b0b-150000.4.27.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    389-ds-1.4.0.31~git15.8b9843b0b-150000.4.27.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    389-ds-1.4.0.31~git15.8b9843b0b-150000.4.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2022-06-23 16:17:04 UTC 
SUSE-SU-2022:2163-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1188455,1195324,1197275,1197345,1199889,1200175
CVE References: CVE-2021-3652,CVE-2021-4091,CVE-2022-0918,CVE-2022-0996,CVE-2022-1949
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    389-ds-1.4.2.16~git68.efa843752-150100.7.34.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    389-ds-1.4.2.16~git68.efa843752-150100.7.34.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    389-ds-1.4.2.16~git68.efa843752-150100.7.34.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    389-ds-1.4.2.16~git68.efa843752-150100.7.34.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    389-ds-1.4.2.16~git68.efa843752-150100.7.34.1
SUSE Enterprise Storage 6 (src):    389-ds-1.4.2.16~git68.efa843752-150100.7.34.1
SUSE CaaS Platform 4.0 (src):    389-ds-1.4.2.16~git68.efa843752-150100.7.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2022-07-06 16:31:13 UTC 
SUSE-SU-2022:2295-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1195324,1199889
CVE References: CVE-2021-4091,CVE-2022-1949
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    389-ds-2.0.15~git26.1ea6a6803-150400.3.5.1
SUSE Linux Enterprise Module for Server Applications 15-SP4 (src):    389-ds-2.0.15~git26.1ea6a6803-150400.3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Alexander Bergmann 2024-05-24 10:39:57 UTC 
Released. Closing bug.