diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2023-02-24 10:03:25 +1300 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2023-03-20 10:03:51 +0100 |
commit | ad4c220411233d6cbd19885a8a0a91bbec762619 (patch) | |
tree | 580ed16516752c6118fcca6fde476e9792a91bca | |
parent | 7f37b4ce6b5ecf05df6e62563f82e13ab93aa7a4 (diff) | |
download | samba-ad4c220411233d6cbd19885a8a0a91bbec762619.tar.gz |
CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexed
In the unlikely case that someone adds a confidential indexed attribute
to the schema, LDAP search expressions on that attribute could disclose
information via timing differences. Let's not use the index for searches
on confidential attributes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 10 | ||||
-rw-r--r-- | source4/dsdb/schema/schema_description.c | 7 | ||||
-rw-r--r-- | source4/dsdb/schema/schema_init.c | 11 | ||||
-rw-r--r-- | source4/dsdb/schema/schema_set.c | 9 |
4 files changed, 33 insertions, 4 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c index 1dc1e1f2d42..248bb66f039 100644 --- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c +++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c @@ -423,7 +423,15 @@ static int extended_dn_filter_callback(struct ldb_parse_tree *tree, void *privat guid_val = ldb_dn_get_extended_component(dn, "GUID"); sid_val = ldb_dn_get_extended_component(dn, "SID"); - if (!guid_val && !sid_val && (attribute->searchFlags & SEARCH_FLAG_ATTINDEX)) { + /* + * Is the attribute indexed? By treating confidential attributes + * as unindexed, we force searches to go through the unindexed + * search path, avoiding observable timing differences. + */ + if (!guid_val && !sid_val && + (attribute->searchFlags & SEARCH_FLAG_ATTINDEX) && + !(attribute->searchFlags & SEARCH_FLAG_CONFIDENTIAL)) + { /* if it is indexed, then fixing the string DN will do no good here, as we will not find the attribute in the index. So for now fall through to a standard DN diff --git a/source4/dsdb/schema/schema_description.c b/source4/dsdb/schema/schema_description.c index 243a02a15f3..5fc70154bf8 100644 --- a/source4/dsdb/schema/schema_description.c +++ b/source4/dsdb/schema/schema_description.c @@ -160,6 +160,13 @@ char *schema_attribute_to_extendedInfo(TALLOC_CTX *mem_ctx, const struct dsdb_at attribute->rangeUpper, GUID_hexstring(tmp_ctx, &attribute->schemaIDGUID), GUID_hexstring(tmp_ctx, &attribute->attributeSecurityGUID), + /* + * We actually ignore the indexed + * flag for confidential + * attributes, but we'll include + * it for the purposes of + * description. + */ (attribute->searchFlags & SEARCH_FLAG_ATTINDEX), attribute->systemOnly); talloc_free(tmp_ctx); diff --git a/source4/dsdb/schema/schema_init.c b/source4/dsdb/schema/schema_init.c index a3b00497b6b..c8197b86306 100644 --- a/source4/dsdb/schema/schema_init.c +++ b/source4/dsdb/schema/schema_init.c @@ -514,8 +514,15 @@ static int dsdb_schema_setup_ldb_schema_attribute(struct ldb_context *ldb, if (attr->isSingleValued) { a->flags |= LDB_ATTR_FLAG_SINGLE_VALUE; } - - if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) { + + /* + * Is the attribute indexed? By treating confidential attributes as + * unindexed, we force searches to go through the unindexed search path, + * avoiding observable timing differences. + */ + if (attr->searchFlags & SEARCH_FLAG_ATTINDEX && + !(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL)) + { a->flags |= LDB_ATTR_FLAG_INDEXED; } diff --git a/source4/dsdb/schema/schema_set.c b/source4/dsdb/schema/schema_set.c index 45faa0912ec..03cf2405595 100644 --- a/source4/dsdb/schema/schema_set.c +++ b/source4/dsdb/schema/schema_set.c @@ -221,7 +221,14 @@ int dsdb_schema_set_indices_and_attributes(struct ldb_context *ldb, break; } - if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) { + /* + * Is the attribute indexed? By treating confidential attributes + * as unindexed, we force searches to go through the unindexed + * search path, avoiding observable timing differences. + */ + if (attr->searchFlags & SEARCH_FLAG_ATTINDEX && + !(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL)) + { /* * When preparing to downgrade Samba, we need to write * out an LDB without the new key word ORDERED_INTEGER. |