#555 vulnerability with ldap authentication - Rundeck Development

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

#555 ✓resolved

vulnerability with ldap authentication

Reported by Desaules | April 13th, 2012 @ 08:13 AM | in Rundeck 1.4.3 (closed)

Issue Type: Bug
Rundeck version: 1.4.2

Issue: vulnerability using ldap authentication

When an user is connect one time with the good login/pass,
anyone can connect to the web gui using the same login with any pass
oO and have all the user power...

Reproduce: (Enter steps to reproduce bug here.)
1- Connect the web GUI one user on the Computer1 with good credential
2- try to connect the same user with any pass on the Computer2
3- It will work with any password oO

Comments and changes to this ticket

Greg Schueler April 13th, 2012 @ 01:59 PM
- State changed from “new” to “open”
- Tag set to “authentication, bug, ldap”
- Milestone set to “Rundeck 1.4.3”
- Milestone order changed from “124” to “0”
analysis: if "forceBindingLogin" is set to true for the JettyCachingLdapLoginModule login module, then after a user logs in successfully there is a failure to verify the user credentials for the duration of the "cacheDurationMillis" for subsequent log ins.

security:

This means that while the user information is cached, the credentials are not checked for subsequent logins for that user.

mitigation:

Either set "forceBindingLogin" to false, or disable the caching behavior to prevent this issue.

To disable the cache: In the jaas login module config file for the JettyCachingLdapLoginModule, set the "cacheDurationMillis" to 0.

fix:

the cache needs to use the user credentials to verify login attempts, not just the username.
Greg Schueler April 13th, 2012 @ 05:55 PM
- State changed from “open” to “needs_verification”
(from [0b91204303ffb47adee715961467b4fe85eef9a9]) Use digest of user+password as cache key

[#555 state:needs_verification]

require username+password to be valid before
allowing use of cached user info.
https://github.com/dtolabs/rundeck/commit/0b91204303ffb47adee715961...
Greg Schueler April 13th, 2012 @ 05:55 PM
(from [35b34140896f761749d06dfd32d12863d77152e9]) Use digest of user+password as cache key

[#555 state:needs_verification]

require username+password to be valid before
allowing use of cached user info.
https://github.com/dtolabs/rundeck/commit/35b34140896f761749d06dfd3...
You flagged this item as spam.
Desaules April 16th, 2012 @ 12:44 AM
Ok great ! It work with "cacheDurationMillis" (when I try with "forceBindingLogin" it break my authorization -_-)
Greg Schueler June 21st, 2012 @ 11:08 AM
- State changed from “needs_verification” to “resolved”
- Milestone order changed from “35” to “0”

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

(DEPRECATED) Please use github issues for issue tracking at http://github.com/dtolabs/rundeck/issues

Shared Ticket Bins (Sort)

↓↑ drag 218 Open tickets
↓↑ drag 390 Resolved tickets
↓↑ drag 3 This week's tickets

Rundeck Rundeck Development → Rundeck 1.4.3