Bug 929034 - (CVE-2015-1854) VUL-0: CVE-2015-1854: 389-ds, 389-ds-base: access control bypass with modrdn
(CVE-2015-1854)
VUL-0: CVE-2015-1854: 389-ds, 389-ds-base: access control bypass with modrdn
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
201503*
Other Other
: P3 - Medium : Major (vote)
: ---
Assigned To: Aeneas Jaißle
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-04-29 08:38 UTC by Andreas Stieger
Modified: 2015-10-20 09:26 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-04-29 08:38:01 UTC
Via RH: 

A flaw was found in the way Red Hat Directory Server performed authorization of modrdn operations. An unauthenticated attacker able to issue an ldapmodrdn call to the directory server could use this flaw to perform unauthorized modifications of entries in the directory server.

> An access control bypass flaw was found in modrdn. In particular if a user has > a rdn like uid=username, then the user can change its own rdn to any value that > is a superstring of the current name bypassing access control.
> 
> This issue could be reproduced by the following:
> 
> ldapmodrnd -Y GSSAPI -r uid=testuser,cn=users,cn=accounts,dc=test,dc=ipa uid=testuser_extended_without_permission
> 
> The above succeeds and renames the user.
> 
> No authentication whatsoever is necessary. An anonymous user can completely 
> hose a server (if not worse) by just renaming any entry it pleases.
> 
> If ACIs are employed to hide entries and those entries are targeted by
> name then it is also possible to reveal those contents by renaming the
> entry and falling off the ACI protection.


Then on http://directory.fedoraproject.org/docs/389ds/releases/release-1-3-3-10.html

> The 389 Directory Server team is proud to announce 389-ds-base version 1.3.3.10.
> [...]
>     One important security bug was fixed.


The upstream commit is:
https://git.fedorahosted.org/cgit/389/ds.git/commit/?id=19d8b6312f0b654a403c1d13936b3a9e50fe2ce2

Not in a SLE release.
Not in an openSUSE release.
Courtesy bug for maintainers of network:ldap/389-ds which is at 1.3.3.9 (affected).


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1209573
https://rhn.redhat.com/errata/RHSA-2015-0895.html
http://directory.fedoraproject.org/docs/389ds/releases/release-1-3-3-10.html
https://git.fedorahosted.org/cgit/389/ds.git/commit/?id=19d8b6312f0b654a403c1d13936b3a9e50fe2ce2
https://fedorahosted.org/389/ticket/47553
Comment 1 Aeneas Jaißle 2015-04-29 10:47:24 UTC
https://build.opensuse.org/request/show/304681
Comment 2 Swamp Workflow Management 2015-04-29 22:00:15 UTC
bugbot adjusting priority
Comment 3 Jan Engelhardt 2015-04-30 11:55:09 UTC
factory only.