sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-18 06:04:06 +03:00
Code

CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexed

Browse Source 
In the unlikely case that someone adds a confidential indexed attribute
to the schema, LDAP search expressions on that attribute could disclose
information via timing differences. Let's not use the index for searches
on confidential attributes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-02-24 10:03:25 +13:00 committed by Jule Anger
parent a74571b49f
commit 1cfaa078ff
4 changed files with 33 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
source4/dsdb/samdb/ldb_modules/extended_dn_in.c
View File

@ -423,7 +423,15 @@ static int extended_dn_filter_callback(struct ldb_parse_tree *tree, void *privat
guid_val = ldb_dn_get_extended_component(dn, "GUID"); guid_val = ldb_dn_get_extended_component(dn, "GUID");
sid_val = ldb_dn_get_extended_component(dn, "SID"); sid_val = ldb_dn_get_extended_component(dn, "SID");
if (!guid_val && !sid_val && (attribute->searchFlags & SEARCH_FLAG_ATTINDEX)) { /*
* Is the attribute indexed? By treating confidential attributes
* as unindexed, we force searches to go through the unindexed
* search path, avoiding observable timing differences.
*/
if (!guid_val && !sid_val &&
(attribute->searchFlags & SEARCH_FLAG_ATTINDEX) &&
!(attribute->searchFlags & SEARCH_FLAG_CONFIDENTIAL))
{
/* if it is indexed, then fixing the string DN will do /* if it is indexed, then fixing the string DN will do
no good here, as we will not find the attribute in no good here, as we will not find the attribute in
the index. So for now fall through to a standard DN the index. So for now fall through to a standard DN

7
source4/dsdb/schema/schema_description.c
View File

@ -160,6 +160,13 @@ char *schema_attribute_to_extendedInfo(TALLOC_CTX *mem_ctx, const struct dsdb_at
attribute->rangeUpper, attribute->rangeUpper,
GUID_hexstring(tmp_ctx, &attribute->schemaIDGUID), GUID_hexstring(tmp_ctx, &attribute->schemaIDGUID),
GUID_hexstring(tmp_ctx, &attribute->attributeSecurityGUID), GUID_hexstring(tmp_ctx, &attribute->attributeSecurityGUID),
/*
* We actually ignore the indexed
* flag for confidential
* attributes, but we'll include
* it for the purposes of
* description.
*/
(attribute->searchFlags & SEARCH_FLAG_ATTINDEX), (attribute->searchFlags & SEARCH_FLAG_ATTINDEX),
attribute->systemOnly); attribute->systemOnly);
talloc_free(tmp_ctx); talloc_free(tmp_ctx);

9
source4/dsdb/schema/schema_init.c
View File

@ -515,7 +515,14 @@ static int dsdb_schema_setup_ldb_schema_attribute(struct ldb_context *ldb,
a->flags |= LDB_ATTR_FLAG_SINGLE_VALUE; a->flags |= LDB_ATTR_FLAG_SINGLE_VALUE;
} }
if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) { /*
* Is the attribute indexed? By treating confidential attributes as
* unindexed, we force searches to go through the unindexed search path,
* avoiding observable timing differences.
*/
if (attr->searchFlags & SEARCH_FLAG_ATTINDEX &&
!(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL))
{
a->flags |= LDB_ATTR_FLAG_INDEXED; a->flags |= LDB_ATTR_FLAG_INDEXED;
} }

9
source4/dsdb/schema/schema_set.c
View File

@ -221,7 +221,14 @@ int dsdb_schema_set_indices_and_attributes(struct ldb_context *ldb,
break; break;
} }
if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) { /*
* Is the attribute indexed? By treating confidential attributes
* as unindexed, we force searches to go through the unindexed
* search path, avoiding observable timing differences.
*/
if (attr->searchFlags & SEARCH_FLAG_ATTINDEX &&
!(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL))
{
/* /*
* When preparing to downgrade Samba, we need to write * When preparing to downgrade Samba, we need to write
* out an LDB without the new key word ORDERED_INTEGER. * out an LDB without the new key word ORDERED_INTEGER.