Bug 1099465 - (CVE-2018-10871) VUL-0: CVE-2018-10871: 389-ds: replication and the Retro Changelog plugin store plaintext password by default
(CVE-2018-10871)
VUL-0: CVE-2018-10871: 389-ds: replication and the Retro Changelog plugin sto...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/209058/
CVSSv3:RedHat:CVE-2018-10871:3.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-28 08:47 UTC by Marcus Meissner
Modified: 2020-04-11 22:50 UTC (History)
10 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
jmcdonough: needinfo? (william.brown)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-06-28 08:47:55 UTC
By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores password in plaintext format in their respective changelog files.

An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1591480
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10871
Comment 9 William Brown 2019-04-16 02:09:54 UTC
It looks like there was a fix, but it had to be reverted as IPA breaks with it.

I want to point out, that the retrochangelog is not a default configuration item, so the risk to this CVE is minimal (unless you have IPA server install, where it requires this feature, but SUSE does not support IPA server).

The work around is:

nsslapd-unhashed-pw-switch: off

https://pagure.io/389-ds-base/issue/49789
Comment 18 Swamp Workflow Management 2019-08-15 19:13:41 UTC
SUSE-SU-2019:2155-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1083689,1092187,1099465,1105606,1108674,1109609,1120189,1132385,1144797,991201
CVE References: CVE-2016-5416,CVE-2018-1054,CVE-2018-10871,CVE-2018-1089,CVE-2018-10935,CVE-2018-14638,CVE-2018-14648,CVE-2019-3883
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1
SUSE Linux Enterprise Module for Server Applications 15 (src):    389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Marcus Meissner 2019-10-30 09:29:58 UTC
fixed
Comment 20 Swamp Workflow Management 2020-04-11 22:50:22 UTC
This is an autogenerated message for OBS integration:
This bug (1099465) was mentioned in
https://build.opensuse.org/request/show/793266 15.1 / 389-ds