Bug 1024552 (CVE-2013-4485)

Summary: CVE-2013-4485 389-ds-base: DoS due to improper handling of ger attr searches
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: chhudson, ekeck, jgalipea, lkrispen, mreynolds, nhosoi, nkinder, rmeggins, security-response-team, tbordaz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-03 11:59:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1024977, 1024978, 1024979, 1024980, 1032898, 1032899    
Bug Blocks: 1024971    
Attachments:
Description Flags
0001-server-crash-with-bogus-GER-attribute-list.patch rmeggins: review+

Description Vincent Danen 2013-10-29 22:36:08 UTC 
A flaw in how 389-ds-base and Red Hat Directory Server handled the checking of access rights on entries using GER (Get Effective Rights), a way to extend directory searches to also display what access rights a user has to a specified entry.  When an attribute list is given in the search request, and if there are several attributes whose names contain the '@' character, 389-ds-base and Red Hat Directory Server would crash.  An attacker able to contact the server would be able to submit this type of search request with no authentication required.
Comment 1 Rich Megginson 2013-10-29 23:18:11 UTC 
Created attachment 817198 [details]
0001-server-crash-with-bogus-GER-attribute-list.patch
Comment 2 Rich Megginson 2013-10-29 23:18:50 UTC 
Comment on attachment 817198 [details]
0001-server-crash-with-bogus-GER-attribute-list.patch

patch against master branch.  may take some editing to apply to other branches - 1.2.11, 8.2, etc.
Comment 3 Rich Megginson 2013-10-29 23:20:00 UTC 
Added test to ger npattr.sh - no regressions in GER with patch
Comment 4 Rich Megginson 2013-10-29 23:22:06 UTC 
Index: npattr.sh
===================================================================
--- npattr.sh	(revision 8190)
+++ npattr.sh	(working copy)
@@ -5,7 +5,7 @@
 NPATTR_BASEDN="o=npattr"
 tet_startup="ServerInfo"
 tet_cleanup=""
-iclist="ic1 ic2 ic3 ic4 ic5 ic6 ic7 ic8 ic9 ic10 ic11 ic12 ic13 ic14 ic15 ic16 ic17 ic18 ic19 ic20 ic21 ic22 ic23 ic24 ic25" 
+iclist="ic1 ic2 ic3 ic4 ic5 ic6 ic7 ic8 ic9 ic10 ic11 ic12 ic13 ic14 ic15 ic16 ic17 ic18 ic19 ic20 ic21 ic22 ic23 ic24 ic25 ic26" 
 
 ic1="tp1"
 ic2="tp2"
@@ -32,6 +32,7 @@
 ic23="tp23"
 ic24="tp24"
 ic25="tp25"
+ic26="bz1024552"
 
 TestSuiteName="ger"
 export TestSuiteName
@@ -467,7 +468,26 @@
 restore_default_aci
 }
 
+bz1024552() {
+    tchead "$tet_thistest: crash the server with a well crafted list of GER search attrs"
+    num=128
+    ii=1
+    attrs=""
+    while [ $ii -le $num ] ; do
+        attrs="$attrs ${ii}@${ii} @$ii ${ii}@ ${ii}@${ii}@${ii}"
+        ii=`expr $ii + 1`
+    done
+	if $LDAPSEARCH -h "$LDAPhost" -p $LDAPport -b "$NPATTR_BASEDN" 'objectclass=*' $attrs > /dev/null ; then
+        result PASS
+        return 0
+    else
+        message "ldapsearch failed $?"
+        result FAIL
+        return 1
+    fi
+}
 
+
 ######################################################################
 ######################################################################
 ######################################################################
Comment 10 Rich Megginson 2013-10-30 17:40:32 UTC 
The problem is when an attribute list is given in the search request, and there are several attributes whose names contain the "@" character.
Comment 15 Rich Megginson 2013-10-30 20:02:18 UTC 
Comment on attachment 817198 [details]
0001-server-crash-with-bogus-GER-attribute-list.patch

reviewed by nhosoi (Thanks!)
Comment 18 Huzaifa S. Sidhpurwala 2013-11-21 08:18:18 UTC 
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1032898]
Affects: epel-5 [bug 1032899]
Comment 19 errata-xmlrpc 2013-11-22 00:33:40 UTC 
This issue has been addressed in following products:

  Red Hat Directory Server 8 for RHEL 5

Via RHSA-2013:1753 https://rhn.redhat.com/errata/RHSA-2013-1753.html
Comment 20 errata-xmlrpc 2013-11-22 00:34:35 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1752 https://rhn.redhat.com/errata/RHSA-2013-1752.html
Comment 21 Fedora Update System 2013-11-26 04:13:23 UTC 
389-ds-base-1.3.2.7-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2013-12-03 10:31:43 UTC 
389-ds-base-1.3.1.16-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2014-01-13 20:07:59 UTC 
389-ds-base-1.2.11.25-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 24 Fedora Update System 2014-01-14 08:38:59 UTC 
389-ds-base-1.3.0.9-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.