389 Directory Server Heap Buffer Overflow Vulnerability in Audit Log Password Masking

A heap buffer overflow vulnerability has been identified in 389 Directory Server. This issue arises in the audit logging feature, specifically within the create_masked_entry_string() function in auditlog.c. The vulnerability occurs because the function copies a fixed-length password mask into a heap buffer that is precisely sized, without verifying the available space. If a short cleartext password is logged—an occurrence that requires non-default CLEAR password storage or a compromised replication peer—the buffer overflow can corrupt heap memory and disrupt the audit log output.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, which can corrupt memory, cause application crashes, and potentially allow for arbitrary code execution.

Reproduction

To reproduce this vulnerability, enable audit logging in 389 Directory Server and set the password storage scheme to CLEAR. Alternatively, a compromised replication peer can be used to send short cleartext passwords that bypass the default hashing, triggering the buffer overflow during the audit logging process.

Remediation

Users are advised not to use the CLEAR password storage scheme and to disable audit logging if it is not necessary. Additionally, monitor replication agreements for unauthorized peers.