Bug 1167858 (CVE-2014-8105)

Summary: CVE-2014-8105 389-ds-base: information disclosure through 'cn=changelog' subtree
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: gparente, jrusnack, lkrispen, mkosek, mreynolds, nhosoi, nkinder, pspacek, security-response-team, sramling, ssorce
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
An information disclosure flaw was found in the way the 389 Directory Server stored information in the Changelog that is exposed via the 'cn=changelog' LDAP sub-tree. An unauthenticated user could in certain cases use this flaw to read data from the Changelog, which could include sensitive information such as plain-text passwords.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 20:10:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1167877, 1167878, 1168150, 1168151, 1180629, 1199675    
Bug Blocks: 1168154    

Description Vasyl Kaigorodov 2014-11-25 14:18:13 UTC 
Petr Spacek from Red Hat found that FreeIPA versions 4.0+ are affected by information disclosure bug which allows
unauthenticated attacker to read all data (including plain-text passwords and
some types of keys) which were stored to the LDAP database in last two days
prior the attack.

For example, if a user changed his password on 2014-11-25 then anyone can
retrieve his plain-text password up to 2014-11-27. This bug affects FreeIPA
installation process too so password for admin user is also available.

Original report below:
...
Products affected
=================
RHEL 7.1 (including High-touch beta)
Fedora 21
Older versions are not affected.

Cause
=====
389 DS implements RFC 4533 protocol which internally uses 'changelog'
mechanism to detect which entries were changed from the last synchronization.
Changelog basically logs all writes to LDAP database in plain-text. FreeIPA
configures the changelog plug-in to store data for two days.

This changelog is exposed as LDAP sub-tree 'cn=changelog' and it has default
Access Control Instruction set to:
(target ="ldap:///cn=changelog")(targetattr != "aci")(version 3.0; acl
"changelog base"; allow( read,search, compare ) userdn ="ldap:///anyone";)

According to [1] the 'userdn ="ldap:///anyone"' allows access to
unauthenticated (anonymous) users.

Mitigation
==========
This needs to be consulted with 389 DS team.

IMHO the best approach would be to eliminate changelog or significantly limit
amount of data stored into it.

Alternative/quick&dirty approach would be to tighten the ACI. I have tried to
change "anyone" to "nobody" and it seems that no user is able to read
cn=changelog directly but RFC 4533 protocol still seems to work. I have tried
to remove the ACI completely and it yielded the same result - even "admin"
user was not able to read the changelog.
Comment 4 Vasyl Kaigorodov 2014-11-26 13:54:39 UTC 
Acknowledgement:

This issue was discovered by Petr Špaček of the Red Hat Identity Management Engineering Team.
Comment 6 errata-xmlrpc 2015-03-05 09:39:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0416 https://rhn.redhat.com/errata/RHSA-2015-0416.html
Comment 8 errata-xmlrpc 2015-03-05 14:10:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:0628 https://rhn.redhat.com/errata/RHSA-2015-0628.html
Comment 9 Kurt Seifried 2015-03-07 00:11:11 UTC 
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1199675]