389 Directory Server SMD5 Password Storage Plugin Buffer Over-Read Vulnerability Leading to LDAP Server Crash

A vulnerability exists in the 389 Directory Server's SMD5 password storage plugin. It involves an unsigned integer underflow when calculating the salt length from a crafted password hash shorter than 16 bytes. This flaw causes a buffer over-read, which crashes the LDAP server during authentication. The issue has been present since the creation of the SMD5 plugin around 2005.

Impact

Exploitation of this vulnerability causes the LDAP server to crash, interrupting authentication processes. Additionally, the buffer over-read could potentially be exploited to execute unauthorized code, bypassing normal security mechanisms.

Reproduction

An attacker with Directory Manager privileges can exploit this vulnerability by planting a crafted SMD5 hash that is less than 16 bytes. When the server processes this hash during authentication, it triggers the unsigned integer underflow, leading to a buffer over-read and a crash of the ns-slapd process.

Remediation

Users are advised to migrate stored passwords from SMD5 to PBKDF2_SHA256 to eliminate the vulnerable code path. Additionally, Directory Manager credentials should be restricted and audited, and nsslapd-allow-hashed-passwords should be disabled to prevent non-DM users from setting pre-hashed passwords.