389 Directory Server Heap Buffer Over-Read Vulnerability in String Filter Parsing

A heap buffer over-read vulnerability has been identified in 389 Directory Server. The issue arises in the ldap_utf8prev() function, which reads bytes before the start of a buffer without proper bounds checking. This flaw can lead to a heap over-read during string filter parsing, potentially affecting internal filter processing. The vulnerability exists in all versions of the 389 Directory Server component on Red Hat Enterprise Linux 10, 7, 8, and 9, as well as in Red Hat Directory Server versions 11, 12, and 13.

Impact

Exploitation of this vulnerability causes a heap buffer over-read, which can lead to reading out-of-bounds memory. This may allow an attacker to access secret values, such as memory addresses, potentially bypassing protection mechanisms like ASLR. Such a memory read could be used to improve the chances of exploiting another vulnerability to achieve code execution, rather than just causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using internal callers that process data influenced by the attacker, such as plugin configuration, ACI definitions, or replication. The issue has been confirmed with AddressSanitizer on aarch64 architecture, where it does not cause a crash on production binaries.