From 62d100b64a25c740187f687dd058a543d43984ec Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 24 Feb 2023 10:03:25 +1300 Subject: [PATCH 29/34] CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexed In the unlikely case that someone adds a confidential indexed attribute to the schema, LDAP search expressions on that attribute could disclose information via timing differences. Let's not use the index for searches on confidential attributes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Conflict: NA Reference: https://attachments.samba.org/attachment.cgi?id=17821 --- source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 10 +++++++++- source4/dsdb/schema/schema_description.c | 7 +++++++ source4/dsdb/schema/schema_init.c | 11 +++++++++-- source4/dsdb/schema/schema_set.c | 9 ++++++++- 4 files changed, 33 insertions(+), 4 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c index 1dc1e1f2d42..248bb66f039 100644 --- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c +++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c @@ -423,7 +423,15 @@ static int extended_dn_filter_callback(struct ldb_parse_tree *tree, void *privat guid_val = ldb_dn_get_extended_component(dn, "GUID"); sid_val = ldb_dn_get_extended_component(dn, "SID"); - if (!guid_val && !sid_val && (attribute->searchFlags & SEARCH_FLAG_ATTINDEX)) { + /* + * Is the attribute indexed? By treating confidential attributes + * as unindexed, we force searches to go through the unindexed + * search path, avoiding observable timing differences. + */ + if (!guid_val && !sid_val && + (attribute->searchFlags & SEARCH_FLAG_ATTINDEX) && + !(attribute->searchFlags & SEARCH_FLAG_CONFIDENTIAL)) + { /* if it is indexed, then fixing the string DN will do no good here, as we will not find the attribute in the index. So for now fall through to a standard DN diff --git a/source4/dsdb/schema/schema_description.c b/source4/dsdb/schema/schema_description.c index 243a02a15f3..5fc70154bf8 100644 --- a/source4/dsdb/schema/schema_description.c +++ b/source4/dsdb/schema/schema_description.c @@ -160,6 +160,13 @@ char *schema_attribute_to_extendedInfo(TALLOC_CTX *mem_ctx, const struct dsdb_at attribute->rangeUpper, GUID_hexstring(tmp_ctx, &attribute->schemaIDGUID), GUID_hexstring(tmp_ctx, &attribute->attributeSecurityGUID), + /* + * We actually ignore the indexed + * flag for confidential + * attributes, but we'll include + * it for the purposes of + * description. + */ (attribute->searchFlags & SEARCH_FLAG_ATTINDEX), attribute->systemOnly); talloc_free(tmp_ctx); diff --git a/source4/dsdb/schema/schema_init.c b/source4/dsdb/schema/schema_init.c index a3b00497b6b..c8197b86306 100644 --- a/source4/dsdb/schema/schema_init.c +++ b/source4/dsdb/schema/schema_init.c @@ -514,8 +514,15 @@ static int dsdb_schema_setup_ldb_schema_attribute(struct ldb_context *ldb, if (attr->isSingleValued) { a->flags |= LDB_ATTR_FLAG_SINGLE_VALUE; } - - if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) { + + /* + * Is the attribute indexed? By treating confidential attributes as + * unindexed, we force searches to go through the unindexed search path, + * avoiding observable timing differences. + */ + if (attr->searchFlags & SEARCH_FLAG_ATTINDEX && + !(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL)) + { a->flags |= LDB_ATTR_FLAG_INDEXED; } diff --git a/source4/dsdb/schema/schema_set.c b/source4/dsdb/schema/schema_set.c index 45faa0912ec..03cf2405595 100644 --- a/source4/dsdb/schema/schema_set.c +++ b/source4/dsdb/schema/schema_set.c @@ -221,7 +221,14 @@ int dsdb_schema_set_indices_and_attributes(struct ldb_context *ldb, break; } - if (attr->searchFlags & SEARCH_FLAG_ATTINDEX) { + /* + * Is the attribute indexed? By treating confidential attributes + * as unindexed, we force searches to go through the unindexed + * search path, avoiding observable timing differences. + */ + if (attr->searchFlags & SEARCH_FLAG_ATTINDEX && + !(attr->searchFlags & SEARCH_FLAG_CONFIDENTIAL)) + { /* * When preparing to downgrade Samba, we need to write * out an LDB without the new key word ORDERED_INTEGER. -- 2.25.1