--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
lemonldap-ng is vulnerable to password bypass (impact critical) in a very
unlikely setup (probability very low). CVE-2021-40874
[ Impact ]
In such configuration, a remote lemonldap-ng system that queries the
main lemonldap-ng system using internal lemonldap-ng protocol instead of
SAML/OpenID-Connect, accepts user with _wrong password; if and only if_
main lemonldap-ng system is configured to use both Kerberos and LDAP
authentication.
[ Tests ]
Tests passed and upstream patch adds a new test
[ Risks ]
Low risk, test coverage proves that package isn't broken with such
change (trivial for a lemonldap-ng dev ;-))
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Instead of setting login/password into result variables ($req->user),
RESTServer stores them in form and launch the whole authentication
process ($self->p->authProcess) instead of selected steps.
Same change is applied to CheckState plugin (no major risk here, this
plugin is reserved to LLNG administrators).
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index a56d54279..f6be653a8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+lemonldap-ng (2.0.11+ds-4+deb11u1) bullseye; urgency=medium
+
+ * Fix auth process in password-testing plugins (Closes: CVE-2021-20874)
+
+ -- Yadd <y...@debian.org> Thu, 24 Feb 2022 15:16:09 +0100
+
lemonldap-ng (2.0.11+ds-4) unstable; urgency=high
* Import security fixes from 2.0.12
diff --git a/debian/patches/CVE-2021-40874.patch
b/debian/patches/CVE-2021-40874.patch
new file mode 100644
index 000000000..a333d3260
--- /dev/null
+++ b/debian/patches/CVE-2021-40874.patch
@@ -0,0 +1,238 @@
+Description: Fix auth process in password-testing plugins (#2611)
+Author: Maxime Besson <maxime.bes...@worteks.com>
+Origin: upstream,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/66946e8
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2612
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2022-01-14
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
+@@ -73,7 +73,10 @@
+ my $res = PE_OK;
+
+ # 1. No user defined at all -> first access
+- unless ( $defUser and $req->method =~ /^POST$/i ) {
++ # _pwdCheck is a workaround to make CheckUser work while using a GET
++ unless ( $defUser
++ and ( uc( $req->method ) eq "POST" or $req->data->{_pwdCheck} ) )
++ {
+ $res = PE_FIRSTACCESS;
+ }
+
+@@ -170,6 +173,7 @@
+
+ sub setSecurity {
+ my ( $self, $req ) = @_;
++ return if $req->data->{skipToken};
+
+ # If captcha is enable, prepare it
+ if ( $self->captcha ) {
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckState.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckState.pm
+@@ -41,16 +41,22 @@
+
+ if ( my $user = $req->param('user') and my $pwd = $req->param('password')
)
+ {
+- $req->user($user);
+- $req->data->{password} = $pwd;
++ $req->parameters->{user} = ($user);
++ $req->parameters->{password} = $pwd;
++ $req->data->{skipToken} = 1;
++
++ # This makes Auth::Choice use authChoiceAuthBasic if defined
++ $req->data->{_pwdCheck} = 1;
+
+ # Not launched methods:
+- # - "extractFormInfo" due to "token"
+ # - "buildCookie" useless here
+ $req->steps( [
+- 'getUser', 'authenticate',
+- @{ $self->p->betweenAuthAndData }, $self->p->sessionData,
+- @{ $self->p->afterData }, 'storeHistory',
++ @{ $self->p->beforeAuth },
++ $self->p->authProcess,
++ @{ $self->p->betweenAuthAndData },
++ $self->p->sessionData,
++ @{ $self->p->afterData },
++ 'storeHistory',
+ @{ $self->p->endAuth }
+ ]
+ );
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
+@@ -681,11 +681,13 @@
+ 400 );
+ }
+
+- $req->user($user);
+- $req->data->{password} = $password;
++ $req->parameters->{user} = $user;
++ $req->parameters->{password} = $password;
++ $req->data->{_pwdCheck} = 1;
++ $req->data->{skipToken} = 1;
+
+ if ( $self->p->_userDB ) {
+- $req->steps( [ 'getUser', 'authenticate' ] );
++ $req->steps( [ $self->p->authProcess ] );
+ my $result = $self->p->process($req);
+ if ( $result == PE_PASSWORD_OK or $result == PE_OK ) {
+ return $self->p->sendJSONresponse( $req,
+--- /dev/null
++++ b/lemonldap-ng-portal/t/35-REST-auth-password-server.t
+@@ -0,0 +1,126 @@
++use Test::More;
++use strict;
++use IO::String;
++use MIME::Base64;
++use JSON;
++
++require 't/test-lib.pm';
++
++my $res;
++
++my $client = LLNG::Manager::Test->new( {
++ ini => {
++ logLevel => 'error',
++ useSafeJail => 1,
++ requireToken => 1,
++ restAuthServer => 1,
++ restPasswordServer => 1,
++ authentication => 'Combination',
++ userDB => 'Same',
++
++ combination => '[K,Dm] or [Dm]',
++ combModules => {
++ K => {
++ for => 1,
++ type => 'Kerberos',
++ },
++ Dm => {
++ for => 0,
++ type => 'Demo',
++ },
++ },
++ krbKeytab => '/etc/keytab',
++ krbByJs => 1,
++ }
++ }
++);
++
++# Test pwdConfirm endpoint
++
++my $res = expectJSON(
++ postJSON(
++ $client,
++ "/proxy/pwdConfirm",
++ {
++ user => "dwho",
++ password => "dwho",
++ }
++ )
++);
++
++is( $res->{result}, 1, "Correct password is accepted" );
++count(1);
++
++my $res = expectJSON(
++ postJSON(
++ $client,
++ "/proxy/pwdConfirm",
++ {
++ user => "waldo",
++ password => "dwho",
++ }
++ )
++);
++
++is( $res->{result}, 0, "Incorrect user is rejected" );
++count(1);
++
++my $res = expectJSON(
++ postJSON(
++ $client,
++ "/proxy/pwdConfirm",
++ {
++ user => "dwho",
++ password => "wrongpass",
++ }
++ )
++);
++
++is( $res->{result}, 0, "Incorrect password is rejected" );
++count(1);
++
++# Test getUser endpoint
++# Existing user
++my $res = expectJSON(
++ postJSON(
++ $client,
++ "/proxy/getUser",
++ {
++ user => "dwho",
++ }
++ )
++);
++is( $res->{result}, 1, "Correct result" );
++is( $res->{info}->{cn}, "Doctor Who", "Correct attributes" );
++is( $res->{info}->{_whatToTrace}, "dwho", "Correct macro" );
++count(3);
++
++# Missing user
++my $res = expectJSON(
++ postJSON(
++ $client,
++ "/proxy/getUser",
++ {
++ user => "notfound",
++ }
++ )
++);
++is( $res->{result}, 0, "Correct result" );
++is( $res->{info}, undef, "No attributes" );
++count(2);
++
++clean_sessions();
++
++done_testing( count() );
++
++sub postJSON {
++ my ( $portal, $url, $payload ) = @_;
++ my $string_payload = to_json($payload);
++ return $portal->_post(
++ $url,
++ IO::String->new($string_payload),
++ accept => 'application/json',
++ type => 'application/json',
++ length => length($string_payload)
++ );
++}
+--- a/lemonldap-ng-portal/t/65-CheckState.t
++++ b/lemonldap-ng-portal/t/65-CheckState.t
+@@ -8,10 +8,25 @@
+ my $client = LLNG::Manager::Test->new( {
+ ini => {
+ logLevel => 'error',
+- authentication => 'Demo',
++ requireToken => 1,
+ checkStateSecret => 'x',
+ checkState => 1,
++ authentication => 'Combination',
+ userDB => 'Same',
++
++ combination => '[K,Dm] or [Dm]',
++ combModules => {
++ K => {
++ for => 1,
++ type => 'Kerberos',
++ },
++ Dm => {
++ for => 0,
++ type => 'Demo',
++ },
++ },
++ krbKeytab => '/etc/keytab',
++ krbByJs => 1,
+ }
+ }
+ );
diff --git a/debian/patches/series b/debian/patches/series
index a1245fc76..644277be7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@ fix-trusted-domain-wildcard.patch
fix-trusted-domain-regex.patch
fix-xss-on-register-form.patch
dont-display-totp-secret.patch
+CVE-2021-40874.patch
--- End Message ---
