389 Directory Server Stack Buffer Overflow Vulnerability in Algorithm ID Parsing

A stack buffer overflow vulnerability has been identified in 389 Directory Server. The issue arises in the checkPrefix() function within pw.c, where an attacker-controlled algorithm ID is copied into a 256-byte stack buffer without proper bounds checking. This vulnerability occurs when the server parses reversible-encrypted attribute values. An attacker with Directory Manager privileges can exploit this flaw by storing a crafted credential that includes an oversized algorithm ID, leading to a crash of the LDAP server. While the FORTIFY_SOURCE feature mitigates the vulnerability to a denial-of-service condition, it does not eliminate the risk entirely.

Impact

Exploitation of this vulnerability causes the LDAP server to crash, although the FORTIFY_SOURCE feature in production builds prevents code execution.

Reproduction

The vulnerability can be reproduced by injecting a crafted value into a reversible-encrypted attribute, such as nsDS5ReplicaCredentials, that includes an oversized algorithm ID. This can be done through the LDAP server's configuration management interface, requiring Directory Manager privileges.

Remediation

It is recommended to restrict Directory Manager access and monitor configuration attributes for abnormally long values. Additionally, limit LDAP administrative access to management networks or localhost.