Bug 1944640 (CVE-2021-3480)

Summary: CVE-2021-3480 slapi-nis: NULL dereference (DoS) with specially crafted Binding DN
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abokovoy, jshortt, mkosek, nalin, pmatouse, security-response-team, twoerner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: slapi-nis 0.56.7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in slapi-nis. A NULL pointer dereference during the parsing of the Binding DN could allow an unauthenticated attacker to crash the 389-ds-base directory server. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 20:38:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1942937, 1944713, 1947349, 1947350, 1947351, 1949955, 1961157    
Bug Blocks: 1944164, 1944845    

Description Cedric Buissart 2021-03-30 11:49:19 UTC 
The Schema Compatibility plugin for 389-ds-base / Directory Server, slapi-nis, can force 389-ds-base server to segfault over specially crafted Binding DN.

The crash is a NULL dereference, and could be used as a Denial of Service attack.
Comment 10 Eric Christensen 2021-04-08 13:31:39 UTC 
Statement:

This vulnerability affects Directory Server with the Schema Compatibility plugin "slapi-nis". To verify if an instance is configured with Schema Compatibility: 
$ ldapsearch -b 'cn=Schema Compatibility,cn=plugins,cn=config' -s base

Red Hat Identity Management is affected by this flaw.
Comment 17 Cedric Buissart 2021-05-03 15:36:48 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 18 Cedric Buissart 2021-05-17 11:33:38 UTC 
Created slapi-nis tracking bugs for this issue:

Affects: fedora-all [bug 1961157]
Comment 19 Cedric Buissart 2021-05-18 07:33:35 UTC 
Upstream fix:
https://pagure.io/slapi-nis/c/c7417ea2d534712e559b56ed45baa91c5d3d44db?branch=master
Comment 20 errata-xmlrpc 2021-05-18 18:53:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1983 https://access.redhat.com/errata/RHSA-2021:1983
Comment 21 Product Security DevOps Team 2021-05-18 20:38:40 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3480
Comment 22 errata-xmlrpc 2021-05-19 08:41:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2027 https://access.redhat.com/errata/RHSA-2021:2027
Comment 23 errata-xmlrpc 2021-05-19 09:57:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2026 https://access.redhat.com/errata/RHSA-2021:2026
Comment 24 errata-xmlrpc 2021-05-19 10:25:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:2032 https://access.redhat.com/errata/RHSA-2021:2032