17495 SEC Stop python-ldap from logging clear passwords

cellador · cellador · commit 0ae2fb791b38 · 2025-02-07T13:30:25.000+01:00
We are currently enabling tracing and OPT_DEBUG_LEVEL in python-ldap / the underlying libldap library. This will log all internal method calls and their arguments and send them to stderr. This in turn will show up in our apache error_log. As there is no fool-proof way to only hide sensitive information with the current tools, we completely remove this functionality. For reference, here's short discussion on this topic: python-ldap/python-ldap#384 SUP-22379 Change-Id: I3c5f9eba7cf92526964cc12d1fbdc406603727b2
diff --git a/.werks/17495.md b/.werks/17495.md
@@ -0,0 +1,54 @@
+[//]: # (werk v2)
+# Stop LDAP integration from logging passwords to Apache error_log when LDAP log level is debug
+
+key        | value
+---------- | ---
+date       | 2025-02-06T09:55:28+00:00
+version    | 2.5.0b1
+class      | security
+edition    | cre
+component  | wato
+level      | 1
+compatible | yes
+
+We allow specifying the log level of various checkmk components in the
+global settings. In previous versions, when setting the "LDAP" log level
+to "Debug" under Global Settings > User Interface > Logging while having
+an LDAP integration configured, a trace of each function call to the
+`python-ldap` library would be written to the `var/log/apache/error_log`
+file. These traces might for example include user names and clear
+passwords of each login attempt.
+
+With this werk, we rework the "Debug" log level of our LDAP integration
+and will no longer log these traces to the `var/log/apache/error_log`
+file.
+
+We thank an external contributer for reporting this issue.
+
+*Affected Versions*:
+
+* 2.3.0
+* 2.2.0
+* 2.1.0 (EOL)
+
+*Mitigations*:
+
+If you are unable to apply this update, set the log level of "LDAP" to
+any other value than "Debug" to not be affected by this vulnerability.
+
+*Indicators of Compromise*:
+
+You have been exposed to this vulnerability if the file
+`var/log/apache/error_log` lists any function calls to the `ldap`
+library as follows
+
+```
+    *** <ldap.ldapobject.ReconnectLDAPObject object at {addr}> {ldap_url} - ReconnectLDAPObject.simple_bind, referer: {checkmk_site}/check_mk/login.py
+    (('cn={user_name},ou=benutzer,dc=corp,dc=de', {password}, None, None), {}), referer: {checkmk_site}/check_mk/login.py
+```
+
+*Vulnerability Management:*
+
+We have rated the issue with a CVSS score of 5.6 Medium
+(`CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N`) and
+assigned `CVE-2025-1075`.
diff --git a/cmk/gui/userdb/ldap_connector.py b/cmk/gui/userdb/ldap_connector.py
@@ -31,16 +31,13 @@
 
 import abc
 import copy
-import logging
-import os
 import shutil
-import sys
 import time
 import traceback
 from collections.abc import Callable, Iterator, Mapping, Sequence
 from datetime import datetime
 from pathlib import Path
-from typing import Any, cast, IO, Literal
+from typing import Any, cast, Literal
 
 # docs: http://www.python-ldap.org/doc/html/index.html
 import ldap  # type: ignore[import-untyped]
@@ -304,20 +301,21 @@ def customer_id(self) -> None | str:
     def connect_server(self, server: str) -> tuple[ldap.ldapobject.ReconnectLDAPObject, str | None]:
         """Connects to an LDAP server using the provided server uri"""
         try:
-            # Set up debug logging if enabled
-            if self._logger.isEnabledFor(logging.DEBUG):
-                os.environ["GNUTLS_DEBUG_LEVEL"] = "99"
-                ldap.set_option(ldap.OPT_DEBUG_LEVEL, 4095)
-                trace_level = 2
-                trace_file: IO[str] | None = sys.stderr
-            else:
-                trace_level = 0
-                trace_file = None
+            # We don't want this debugging possibly enabled
+            # in production as it leaks sensitive information.
+            # if self._logger.isEnabledFor(logging.DEBUG):
+            #     os.environ["GNUTLS_DEBUG_LEVEL"] = "99"
+            #     ldap.set_option(ldap.OPT_DEBUG_LEVEL, 4095)
+            #     trace_level = 2
+            #     trace_file: IO[str] | None = sys.stderr
+            # else:
+            #     trace_level = 0
+            #     trace_file = None
 
             # Format the LDAP URI and create the connection object
             uri = self._format_ldap_uri(server)
             conn = ldap.ldapobject.ReconnectLDAPObject(
-                uri, trace_level=trace_level, trace_file=trace_file
+                uri,  # trace_level=trace_level, trace_file=trace_file
             )
             conn.protocol_version = self._config.get("version", 3)
             conn.network_timeout = self._config.get("connect_timeout", 2.0)
diff --git a/tests/unit/cmk/gui/userdb/test_ldap_golden.py b/tests/unit/cmk/gui/userdb/test_ldap_golden.py
@@ -97,7 +97,7 @@ def test_connect(mock_ldap: MagicMock) -> None:
     assert connector._ldap_obj_config == cfg, "Connector sets config for mock"
 
     assert len(mock_ldap.call_args_list) == 2, "Connected to main and failover server"
-    mock_ldap.assert_called_with("ldap://internet", trace_level=0, trace_file=None)  # most recent
+    mock_ldap.assert_called_with("ldap://internet")  # most recent
 
     # assumes "ldap_golden_unknown_password" is not in the password store, hence the 'None'.
     connector._ldap_obj.simple_bind_s.assert_called_with(cfg["bind"][0], None)
@@ -276,4 +276,4 @@ def test_remove_trailing_dot_from_hostname(mock_ldap: MagicMock) -> None:
     connector = LDAPUserConnector(cfg)
     connector.connect()
 
-    mock_ldap.assert_called_with("ldap://lolcathorst", trace_level=0, trace_file=None)
+    mock_ldap.assert_called_with("ldap://lolcathorst")
