CVE-2022-22312

Name

Incorrect size of buffer used to store LDAP-sanitized username leading to Heap Overflow

CVSS score

5.7 (Medium)

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Product name

IBM Security Identity Manager Windows Password Synch Plug-in

Confirmed exploitable versions

10.0.1

Researcher

Krzysztof Andrusiak

Description

Username sent to password filter is sanitized before being added to LDAP query by replacing certain characters with their hexadecimal representation (“\XX”). A buffer is allocated to store the result of this operation, but its size is not enough for “worst-case” scenario, where all the characters have to be sanitized (e.g. username containing only asterisk characters). In such case part of the sanitized username will be written past the end of the buffer, leading to heap overflow and reboot of the domain controller.

Timeline

17-12-2021 - Vulnerability reported to vendor
20-12-2021 - First response from vendor
22-04-2022 - Advisory published by IBM
04-10-2023 - Public disclosure

References

https://www.ibm.com/support/pages/node/6574671
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2022-22312