Bug 1074845 (CVE-2014-0132)

Summary: CVE-2014-0132 389-ds: flaw in parsing authzid can lead to privilege escalation
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jgalipea, jkurik, jrusnack, nhosoi, nkinder, pablo.iranzo, pfrields, rmeggins, security-response-team, ssorce
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-12 23:04:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1074847, 1074848, 1074850, 1076117, 1076118    
Bug Blocks: 1075158    

Description Vincent Danen 2014-03-11 05:28:36 UTC
A flaw was reported [1] in how the 389 Directory Server handled SASL-based authentication, in particular when the authzid parameter is specified.  A flaw in the SASL mechanism handling allowed a user who could legitimately authenticate to the Directory Server, to use the directory as any other user they wished.  This could allow an unprivileged directory user to effectively elevate privileges to the Directory Manager.  This could allow a user to modify configuration values, as well as read and write any data the directory holds.

A patch to correct this flaw is available in git [2].

[1] https://fedorahosted.org/389/ticket/47739
[2] https://fedorahosted.org/389/changeset/76acff12a86110d4165f94e2cba13ef5c7ebc38a/

Comment 4 Vincent Danen 2014-03-13 15:17:09 UTC
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1076117]
Affects: epel-5 [bug 1076118]

Comment 5 errata-xmlrpc 2014-03-13 19:23:10 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0292 https://rhn.redhat.com/errata/RHSA-2014-0292.html

Comment 6 Vincent Danen 2014-05-12 23:04:55 UTC
This has been corrected in EPEL5 via 389-ds-base-, in Fedora 20 via 389-ds-base- and in Fedora 19 via 389-ds-base-