From 033c90742e4e4c9ec481f7969a1e731e8d61714c Mon Sep 17 00:00:00 2001
From: Marco Fargetta <mfargett@redhat.com>
Date: Fri, 29 Mar 2024 11:45:19 +0100
Subject: [PATCH] CVE-2023-4727 Fix token authentication bypass vulnerability

Previously the LDAPSecurityDomainSessionTable.sessionExists()
and getStringValue() were using user-provided session ID as
is in an LDAP filter which could be exploited to bypass token
authentication.

To fix the problem the code has been modified to escape all
special characters in the session ID before using it in the
LDAP filter.

Resolves: CVE-2023-4727
---
 .../session/LDAPSecurityDomainSessionTable.java     | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
index 178382360ef..fa03c99dbf0 100644
--- a/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
+++ b/base/server/src/main/java/com/netscape/cmscore/session/LDAPSecurityDomainSessionTable.java
@@ -31,6 +31,7 @@
 import com.netscape.cmscore.ldapconn.LDAPConfig;
 import com.netscape.cmscore.ldapconn.LdapBoundConnFactory;
 import com.netscape.cmscore.ldapconn.PKISocketConfig;
+import com.netscape.cmsutil.ldap.LDAPUtil;
 
 import netscape.ldap.LDAPAttribute;
 import netscape.ldap.LDAPAttributeSet;
@@ -179,7 +180,11 @@ public boolean sessionExists(String sessionId) throws Exception {
         try {
             String basedn = ldapConfig.getBaseDN();
             String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
-            String filter = "(cn=" + sessionId + ")";
+
+            // CVE-2023-4727
+            // escape session ID in LDAP search filter
+            String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
+
             String[] attrs = { "cn" };
 
             conn = mLdapConnFactory.getConn();
@@ -262,7 +267,11 @@ private String getStringValue(String sessionId, String attr) throws Exception {
         try {
             String basedn = ldapConfig.getBaseDN();
             String sessionsdn = "ou=sessions,ou=Security Domain," + basedn;
-            String filter = "(cn=" + sessionId + ")";
+
+            // CVE-2023-4727
+            // escape session ID in LDAP search filter
+            String filter = "(cn=" + LDAPUtil.escapeFilter(sessionId) + ")";
+
             String[] attrs = { attr };
 
             conn = mLdapConnFactory.getConn();