Bug 1347760 (CVE-2016-4992)

Summary: CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: edewata, mreynolds, nhosoi, nkinder, pspacek, rmeggins, vashirov, wibrown
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An information disclosure flaw was found in 389 Directory Server. A user with no access to objects in certain LDAP sub-tree could send LDAP ADD operations with a specific object name. The error message returned to the user was different based on whether the target object existed or not.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-15 19:56:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1347761, 1347763, 1350799, 1358559, 1358560, 1358561    
Bug Blocks: 1323912, 1347766    

Description Adam Mariš 2016-06-17 14:53:47 UTC 
A vulnerability in 389-ds-base was found that allows to bypass limitations for compare and read operations specified by Access Control Instructions.

When having LDAP sub-tree with some existing objects and having BIND DN which have no privileges over objects inside the sub-tree, unprivileged user can send LDAP ADD operation specifying an object in (supposedly) inaccessible sub-tree. The returned error messages discloses the information when the queried object exists having the specified value. Attacker can use this flaw to guess values of RDN component by repeating the above process.
Comment 1 Adam Mariš 2016-06-17 14:53:58 UTC 
Acknowledgments:

Name: Petr Spacek (Red Hat), Martin Basti (Red Hat)
Comment 2 Adam Mariš 2016-06-17 14:54:25 UTC 
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1347761]
Affects: epel-5 [bug 1347763]
Comment 6 Noriko Hosoi 2016-06-21 00:23:07 UTC 
Created attachment 1170018 [details]
git patch file (master) -- solves ADD case
Comment 13 Petr Spacek 2016-06-21 08:05:03 UTC 
(In reply to Adam Mariš from comment #1)
> Acknowledgments:
> 
> Name: Petr Spacek (Red Hat)

Hi,

please add Martin Basti (Red Hat) to Acknowledgments, he was working on the code with me and we have spotted the problem together.
Comment 14 Adam Mariš 2016-06-21 08:40:57 UTC 
> > Acknowledgments:
> > 
> > Name: Petr Spacek (Red Hat)
> 
> Hi,
> 
> please add Martin Basti (Red Hat) to Acknowledgments, he was working on the
> code with me and we have spotted the problem together.

Done!

---
didn't mean to remove the other needinfo, setting it back
Comment 20 Petr Spacek 2016-07-21 07:31:38 UTC 
The description should be extended to BIND operation as well.
Comment 28 errata-xmlrpc 2016-11-03 20:42:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2594 https://rhn.redhat.com/errata/RHSA-2016-2594.html
Comment 30 errata-xmlrpc 2016-11-15 19:37:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2765 https://rhn.redhat.com/errata/RHSA-2016-2765.html