Bug 1488751 (CVE-2017-14159)

Summary: CVE-2017-14159 openldap: Privilege escalation via PID file manipulation
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bmaxwell, cdewolf, chazlett, csutherl, darran.lofthouse, dimitris, dosoudil, gzaronik, jawilson, jclere, jshepherd, jsynacek, lgao, mbabacek, mhonek, mmezynsk, myarboro, pgier, pkis, psakar, pslavice, rmeggins, rnetuka, rsvoboda, twalsh, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:24:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1488752    
Bug Blocks: 1785205    

Description Andrej Nemec 2017-09-06 07:47:16 UTC 
slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill `cat /pathname`" command, as demonstrated by openldap-initscript.

This represents a minor security issue; additional factors are needed to make it exploitable.

References:

http://www.openldap.org/its/index.cgi?findid=8703
Comment 1 Andrej Nemec 2017-09-06 07:47:45 UTC 
Created openldap tracking bugs for this issue:

Affects: fedora-all [bug 1488752]
Comment 3 Huzaifa S. Sidhpurwala 2019-12-20 06:01:37 UTC 
As per upstream:

"If I understood you correctly, "Additional factors are needed" basically means you have to find a code execution vulnerability in slapd? At that point I think you can do much more interesting things - pretending that your user is uid 0, or in various admin groups are only the first ideas that come to mind."

The above basically implies that this bug can be used only when additional major flaws are found in the slapd binary like the ones caused by heap-based buffer overflows etc. Based on this argument, Red Hat Product Security does not consider this to be a security flaw.
Comment 4 Huzaifa S. Sidhpurwala 2019-12-20 06:01:41 UTC 
Statement:

As per upstream this bug can be used only when additional major flaws are found in the slapd binary like the ones caused by heap-based buffer overflows etc. Based on this argument, Red Hat Product Security does not consider this to be a security flaw.