Bugzilla – Bug 1076530
VUL-0: CVE-2017-15134 CVE-2017-15135: 389-ds: two flaws
Last modified: 2020-04-11 22:50:06 UTC
embargoed via distros CRD: 2018-01-22 Hi, Here is a notification about two vulnerabilities in the 389-ds-base package (389 Directory Server). NOTE: We are planning to make these flaws public on 22-January-2018. If this date changes, we will inform the list. Patches to fix both these flaws are attached to this email. I am not subscribed to this list. So please CC me if you have some questions or comments for me. CVE-2017-15134 -------------- Remote DoS via search filters in slapi_filter_sprintf in slapd/util.c A stack buffer overflow flaw was found in the way 389-ds-base handled certain LDAP search filters. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service. CVSSv3: 7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 1. The crash happens at the following line in 389-ds-base-1.3.6.1-21.el7_4.x86_64, filter_stuff_func (..., slen=32768) at ldap/servers/slapd/util.c:282, which is memcpy(ctx->attr, val, slen). The ctx->attr storage resides on the caller's stack frame. char attr[ATTRSIZE]; // ATTRSIZE => 256 2. Both filter_stuff_func and slapi_filter_sprintf functions are protected by SSP ON RHEL 7.4. Overall, this seems like a stack overflow bug which leads to DoS (server crash). CVE-2017-15135 -------------- Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c It was found that 389-ds-base did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass the authentication process under very rare and specific circumstances. This flaw was introduced by the CVE-2016-5405 fix. CVSSv3: 4.6/CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L Thanks, Dhiru
is public now.
An update to 389-ds source to 1.4.0.22 is recommended to resolve this and many other issues.
SUSE-SU-2019:1207-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1076530,1096368,1105606,1106699 CVE References: CVE-2017-15134,CVE-2017-15135,CVE-2018-10850,CVE-2018-10935,CVE-2018-14624 Sources used: SUSE Linux Enterprise Module for Server Applications 15 (src): 389-ds-1.4.0.3-4.7.52 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): 389-ds-1.4.0.3-4.7.52 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1397-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1076530,1096368,1105606,1106699 CVE References: CVE-2017-15134,CVE-2017-15135,CVE-2018-10850,CVE-2018-10935,CVE-2018-14624 Sources used: openSUSE Leap 15.0 (src): 389-ds-1.4.0.3-lp150.3.3.1
done
SUSE-SU-2019:1207-2: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 1076530,1096368,1105606,1106699 CVE References: CVE-2017-15134,CVE-2017-15135,CVE-2018-10850,CVE-2018-10935,CVE-2018-14624 Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): 389-ds-1.4.0.3-4.7.52 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): 389-ds-1.4.0.3-4.7.52 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1076530) was mentioned in https://build.opensuse.org/request/show/793266 15.1 / 389-ds