On Thu, 06 Nov 2014, thierry bordaz wrote:
On 11/05/2014 09:14 PM, Nathaniel McCallum wrote:
Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.
This patch resolves CVE-2014-7828.
https://fedorahosted.org/freeipa/ticket/4690
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Hello Nathaniel,
With the DS flag 'nsslapd-allow-unauthenticated-binds', customer
have the ability to allows unauthenticated binds and connections.
With the fix, a ldapclient bind containing only OTP part will fail
even if the flag was set.
By definition of nsslapd-allow-unauthenticated-binds, it requires a BIND
with name but no password. Specifying OTP value will make password
non-empty and thus failing unauthenticated bind request definition.
When ipapwd_pre_bind, stipping the OTP part, detects that the
password is zero length, I wonder if it should not test that flag to
determine if it should fail or succeed.
Since original password was non-empty it wouldn't make sense to check
the value for empty password after stripping the OTP part as it is not
an unauthenticated password in the first place.
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
