Overview

File 0012-Ticket-49336-SECURITY-1.3.5.x-Locked-account-provide.patch of Package 389-ds

From 25a945284df182ad800ef200c6f51e2bf1a5e9f1 Mon Sep 17 00:00:00 2001
From: William Brown <firstyear@redhat.com>
Date: Tue, 1 Aug 2017 16:21:33 +1000
Subject: [PATCH 12/14] Ticket 49336 - SECURITY 1.3.5.x: Locked account
 provides different return code

Backport to 1.3.5.x

Bug Description:  The directory server password lockout policy prevents binds
 from operating once a threshold of failed passwords has been met. During
 this lockout, if you bind with a successful password, a different error code
 is returned. This means that an attacker has no ratelimit or penalty during
 an account lock, and can continue to attempt passwords via bruteforce, using
 the change in return code to ascertain a sucessful password auth.

Fix Description:  Move the account lock check *before* the password bind
check. If the account is locked, we do not mind disclosing this as the
attacker will either ignore it (and will not bind anyway), or they will
be forced to back off as the attack is not working preventing the
bruteforce.

https://pagure.io/389-ds-base/issue/49336

Author: wibrown

Review by: mreynolds (thanks)
---
 ldap/servers/slapd/bind.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 399eaf7d3..33bb49827 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -722,10 +722,7 @@ do_bind( Slapi_PBlock *pb )
             }
             slapi_pblock_set( pb, SLAPI_PLUGIN, be->be_database );
             set_db_default_result_handlers(pb);
-            if ( (rc != 1) && 
-                 (auto_bind || 
-                  (((rc = (*be->be_bind)( pb )) == SLAPI_BIND_SUCCESS) ||
-                   (rc == SLAPI_BIND_ANONYMOUS))) ) {
+            if ( rc != 1) {
                 long t;
                 char* authtype = NULL;
                 /* rc is SLAPI_BIND_SUCCESS or SLAPI_BIND_ANONYMOUS */
@@ -783,6 +780,10 @@ do_bind( Slapi_PBlock *pb )
                         myrc = 0;
                     }
                     if (!auto_bind) {
+                        rc = (*be->be_bind)( pb );
+                        if (rc != SLAPI_BIND_SUCCESS && rc != SLAPI_BIND_ANONYMOUS) {
+                            goto account_locked;
+                        }
                         /* 
                          * There could be a race that bind_target_entry was not added 
                          * when bind_target_entry was retrieved before be_bind, but it
-- 
2.15.1
openSUSE Build Service is sponsored by
Places