Bug 1212508 (CVE-2023-33201)

Summary: VUL-0: CVE-2023-33201: bouncycastle: potential blind LDAP injection attack using a self-signed certificate
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: fstrba, meissner, pmonrealgonzalez, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/369722/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-33201:8.1:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Cathy Hu 2023-06-19 10:23:32 UTC 
CVE-2023-33201

Issue affecting: BC 1.73 and earlier.

Fixed versions: BC 1.74

Platform affected: Java 4 and later.

Bouncy Castle provides the X509LDAPCertStoreSpi.java class which can be used in conjunction with the CertPath API for validating certificate paths. Pre-1.73 the implementation did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, meaning the presence of a wild car may lead to Information Disclosure.

A potential attack would be to generate a self-signed certificate with a subject name that contains special characters, e.g: CN=Subject*)(objectclass=. This will be included into the filter and provides the attacker ability to specify additional attributes in the search query. This can be exploited as a blind LDAP injection: an attacker can enumerate valid attribute values using the boolean blind injection technique. The exploitation depends on the structure of the target LDAP directory, as well as what kind of errors are exposed to the user.

Changes to the X509LDAPCertStoreSpi.java class add the additional checking of any X.500 name used to correctly escape wild card characters.

https://github.com/bcgit/bc-java/wiki/CVE-2023-33201

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-33201
https://bugzilla.redhat.com/show_bug.cgi?id=2215465
Comment 1 Cathy Hu 2023-06-19 10:24:35 UTC 
Affected:
- SUSE:ALP:Source:Standard:1.0/bouncycastle  1.73
- SUSE:SLE-15-SP2:Update/bouncycastle        1.73
- openSUSE:Factory/bouncycastle              1.73

(please not that the ALP codestream currently needs a regular submission, and not a maintenance submission)
Comment 2 Pedro Monreal Gonzalez 2023-06-20 14:33:02 UTC 
The new bouncycastle update to version 1.74 in Factory now requires a new dependency on unboundid-ldapsdk but its not packaged in Factory. I have tried to package it in here:
  https://build.opensuse.org/package/show/home:pmonrealgonzalez/unboundid-ldapsdk

With this new package, bouncycastle 1.74 builds fine now.

I'm adding Fridrich in CC to have a look at the new package and advise if it needs some modifications. TIA
Comment 3 Pedro Monreal Gonzalez 2023-06-20 17:23:17 UTC 
(In reply to Pedro Monreal Gonzalez from comment #2)
> The new bouncycastle update to version 1.74 in Factory now requires a new
> dependency on unboundid-ldapsdk but its not packaged in Factory. I have
> tried to package it in here:
>  
> https://build.opensuse.org/package/show/home:pmonrealgonzalez/unboundid-
> ldapsdk
> 
> With this new package, bouncycastle 1.74 builds fine now.
> 
> I'm adding Fridrich in CC to have a look at the new package and advise if it
> needs some modifications. TIA

I have just submitted the new unboundid-ldapsdk package to Java:packages here:
  * https://build.opensuse.org/request/show/1094136
Comment 4 Fridrich Strba 2023-06-20 17:37:25 UTC 
(In reply to Pedro Monreal Gonzalez from comment #3)
> I have just submitted the new unboundid-ldapsdk package to Java:packages
> here:
>   * https://build.opensuse.org/request/show/1094136

Now, I was slow in answering because I wanted to be sure about what that new dependency is all about. It is needed only for the bctest artifact that we do not distribute, although we were building it as a by-product. I made a patch in Bouncycastle to not build it and suddenly the dependency is not needed. I will push to the Java:packages the upgrade but without any changelog for the while. It is possible that it will conflict with whatever you have. I promise to fix any problem that could arise.
Comment 5 OBSbugzilla Bot 2023-06-20 19:15:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1212508) was mentioned in
https://build.opensuse.org/request/show/1094156 Factory / bouncycastle
Comment 8 OBSbugzilla Bot 2023-06-21 07:05:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1212508) was mentioned in
https://build.opensuse.org/request/show/1094295 Factory / bouncycastle
Comment 9 Pedro Monreal Gonzalez 2023-06-21 07:19:35 UTC 
Fridrich, many thanks for that!

As Fridrich explained in the new package submission, bouncycastle is in Ring1 so adding new dependencies just for some tests can be problematic.

I have submitted to ALP in here:
  * https://build.suse.de/request/show/301816
Comment 11 Maintenance Automation 2023-07-17 09:37:11 UTC 
SUSE-SU-2023:2843-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1212508
CVE References: CVE-2023-33201
Sources used:
openSUSE Leap 15.4 (src): bouncycastle-1.74-150200.3.21.1
openSUSE Leap 15.5 (src): bouncycastle-1.74-150200.3.21.1
Development Tools Module 15-SP4 (src): bouncycastle-1.74-150200.3.21.1
Development Tools Module 15-SP5 (src): bouncycastle-1.74-150200.3.21.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): bouncycastle-1.74-150200.3.21.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): bouncycastle-1.74-150200.3.21.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): bouncycastle-1.74-150200.3.21.1
SUSE Linux Enterprise Real Time 15 SP3 (src): bouncycastle-1.74-150200.3.21.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): bouncycastle-1.74-150200.3.21.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): bouncycastle-1.74-150200.3.21.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): bouncycastle-1.74-150200.3.21.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): bouncycastle-1.74-150200.3.21.1
SUSE Enterprise Storage 7.1 (src): bouncycastle-1.74-150200.3.21.1
SUSE Enterprise Storage 7 (src): bouncycastle-1.74-150200.3.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Cathy Hu 2023-09-25 12:25:39 UTC 
done, closing