Introduction
As part of the security audit of the LDAP feature refactoring, Cure53 team, found two issues that have been resolved with v4.1.3. This week-long audit involved several security researchers with a main focus on all the changes related to the implementation of the LDAP integration on the API side and the underlying library that passbolt uses called LdapRecord.
Quotes from the conclusion of the report:
"The resulting impact was considered to be relatively minimal and does not significantly expand the attack surface of Passbolt itself."
"As mentioned previously, LdapRecord is a sound choice for handling LDAP functionalities and its integration into Passbolt can only be deemed a resounding success."
Passbolt aims to provide sufficient flexibility to allow administrators to configure their LDAP connector without the need to modify configuration on file. Both issues relates to the "rogue administrator" risk, e.g. how an administrators could use the functionalities in the passbolt administration user interface workspace to extract information from an LDAP server.
These issues are now mitigated by making sure certain keywords are not allowed in custom filters or field mapping functionalities such as: userPassword, uniqueUserPassword, etc. Moreover, a server administrator is now able to customize such list in passbolt.php to further mitigate this risk.
This mitigation has been implemented as of 4th of August 2023.
You can read more about the security audit by reading the full report.
Passbolt team would like to express a warm thank you to the security researchers from Cure53 and the developers of the LdapRecord team for their valuable contribution to this project.
Vulnerabilities summary
| ID | Project | Issue name | Severity | Status |
|---|---|---|---|---|
| PBL-09-001 | API | LDAP injection via custom group/user filters | Low | Mitigated in v4.1.3 |
| PBL-09-002 | API | Mitigate arbitrary LDAP data exfiltration via fields_mapping | Medium | Mitigated in v4.1.3 |
