CVE-2016-2403: Unauthorized access on a misconfigured Ldap server when using an empty password

Affected versions

Symfony 2.8.0 to 2.8.5 and 3.0.0 to 3.0.5 versions of the Symfony Security component are affected by this security issue.

The issue has been fixed in Symfony 2.8.6 and 3.0.6.

Description

The bind operation of LDAP, as described in RFC 4513, provides a method which allows for authentication of users. For the Simple Authentication Method a user may use the anonymous authentication mechanism, the unauthenticated authentication mechanism, or the name/password authentication mechanism. The unauthenticated authentication mechanism is used when a client who desires to establish an anonymous authorization state passes a non-zero length distinguished name and a zero length password. Most LDAP servers either can be configured to allow this mechanism or allow it by default.

Web-based applications which perform the simple bind operation with the client's credentials are at risk when an anonymous authorization state is established. This can occur when the web-based application passes a distinguished name and a zero length password to the LDAP server. Thus, misconfiguring a server with simple bind can trick Symfony into thinking the username/password tuple as valid, potentially leading to unauthorized access.

Resolution

The fix implements a check on the provided password, in order to prevent a user from submitting an empty password.

The patch for this issue is available here.

Credits

I would like to thank Matteo Rossi of Technogym SPA for reporting this security issue and Charles Sarrazin of SensioLabs for providing a fix.