Bug 454065 (CVE-2008-2930)

Summary: CVE-2008-2930 Directory Server: temporary DoS via crafted pattern searches
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ckannan, nkinder, rmeggins, ulf.weltman, yzhang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 21:12:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 448831    
Bug Blocks:    

Description Tomas Hoger 2008-07-04 08:49:51 UTC 
It was discovered that Red Hat Directory Server and Fedora Directory Server is
prone to a temporary denial of service attack (high CPU usage) via crafted LDAP
search patterns.  LDAP search patterns are internally translated to regular
expressions.  If the regular expression is matched against specially crafted
record already stored in the LDAP, it may cause regular expression NFA to
iterate over large amount of states, causing one slapd thread to occupy CPU for
excessive amount of time.

Additionally, due to a current design of the regular expression handling code,
only one slapd thread can execute regular expression NFA code at the time. 
Because of that, during the processing of such CPU intensive search request, all
other search requests using patterns are blocked.

Affected version:
Red Hat Directory Server 7.1 and 8
Fedora Directory Server 1.1.1
Comment 1 Tomas Hoger 2008-07-04 08:56:54 UTC 
Issue can possibly be triggered by anonymous user, assuming certain value to
match regular expression against is already available in the LDAP (hence AC:H):

  2.6/AV:N/AC:H/Au:N/C:N/I:N/A:P

Authenticated LDAP user with write access to the directory can enter value
needed to trigger the problem to the directory:

  4.0/AV:N/AC:L/Au:S/C:N/I:N/A:P
Comment 2 Tomas Hoger 2008-08-08 08:39:07 UTC 
This issue was discovered and reported by Ulf Weltman of Hewlett Packard.
Comment 3 Tomas Hoger 2008-08-27 20:16:30 UTC 
Lifting embargo.
Comment 4 Yi Zhang 2008-08-30 00:59:55 UTC 
bug verified. 

Check for errata : 
http://errata.devel.redhat.com/errata/show/7676

for "how to verify"
Comment 5 Fedora Update System 2008-09-11 16:57:55 UTC 
fedora-ds-base-1.1.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2008-09-11 17:04:53 UTC 
fedora-ds-base-1.1.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Vincent Danen 2010-12-23 21:12:01 UTC 
This was addressed via:

Red Hat Directory Server 7.1 (for AS v. 3) (RHSA-2008:0596)
Red Hat Directory Server 8.0 (for AS v. 4)  (RHSA-2008:0602)
Red Hat Directory Server 8 (for RHEL 5 Server) (RHSA-2008:0602)
Red Hat IPA 1 for RHEL 5 Server (RHSA-2008:0858)