Bug 1096368 - (CVE-2018-10850) VUL-0: CVE-2018-10850: 389-ds: race condition on reference counter leads to DoS using persistent search
(CVE-2018-10850)
VUL-0: CVE-2018-10850: 389-ds: race condition on reference counter leads to D...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/207359/
CVSSv3:RedHat:CVE-2018-10850:5.9:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-07 05:44 UTC by Marcus Meissner
Modified: 2020-04-11 22:50 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-06-07 05:44:40 UTC
rh#1588056

The bug is related to incoming connection handling in DS. A connection data structure contains a refcnt. The refcnt accounts the number of pending requests. When a connection needs to be cleanup (upon closure, timeout...) the core server waits for refcnt to be 0. It basically waits for all pending requests to complete before cleaning the structure.

The refcnt does not account specific LDAP request (persistent search), so if an event occurs on the connection (closure) the core server may reset the structure although a request is still going on. 

Anonymous user are allowed to trigger a persistent search so in theory anyone sending persistent search and closing  the connection hits that bug. 
Under normal use, most of the time the problem is not detected. Sometime there are error written in the log when an invalid refcnt is found. But depending on dispatch dynamic of the threads handling connection event it can crash.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1588056
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10850
Comment 2 Johannes Segitz 2018-07-25 14:20:19 UTC
assigning to current maintainer, please have a look
Comment 7 Swamp Workflow Management 2019-05-10 19:21:20 UTC
SUSE-SU-2019:1207-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1076530,1096368,1105606,1106699
CVE References: CVE-2017-15134,CVE-2017-15135,CVE-2018-10850,CVE-2018-10935,CVE-2018-14624
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    389-ds-1.4.0.3-4.7.52
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    389-ds-1.4.0.3-4.7.52

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-05-15 19:09:08 UTC
openSUSE-SU-2019:1397-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1076530,1096368,1105606,1106699
CVE References: CVE-2017-15134,CVE-2017-15135,CVE-2018-10850,CVE-2018-10935,CVE-2018-14624
Sources used:
openSUSE Leap 15.0 (src):    389-ds-1.4.0.3-lp150.3.3.1
Comment 9 Marcus Meissner 2019-05-16 09:39:56 UTC
released
Comment 10 Swamp Workflow Management 2019-07-01 16:17:30 UTC
SUSE-SU-2019:1207-2: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1076530,1096368,1105606,1106699
CVE References: CVE-2017-15134,CVE-2017-15135,CVE-2018-10850,CVE-2018-10935,CVE-2018-14624
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    389-ds-1.4.0.3-4.7.52
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    389-ds-1.4.0.3-4.7.52

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-04-11 22:50:18 UTC
This is an autogenerated message for OBS integration:
This bug (1096368) was mentioned in
https://build.opensuse.org/request/show/793266 15.1 / 389-ds