Bug 654057

Summary: CVE-2010-4174 RHDS/389: information disclosure in audit logs
Product: [Retired] 389 Reporter: Vincent Danen <vdanen>
Component: Directory ServerAssignee: Nathan Kinder <nkinder>
Status: CLOSED CURRENTRELEASE QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: high    
Version: 1.2.7CC: amsharma, benl, ckannan, dlackey, dpal, jgalipea, kevinu, nkinder, rmeggins, security-response-team, shaines, ulf.weltman
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20101112,reported=20100820,source=customer,impact=low,cvss2=2.6/AV:L/AC:H/Au:N/C:P/I:P/A:N,fedora-all/389-ds=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: CVE-2010-3282 Environment:
Last Closed: 2012-10-11 17:12:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 625950, 639035, 656390    
Attachments:
Description Flags
Patch none

Description Vincent Danen 2010-11-16 18:17:50 UTC
When audit logging is enabled on Red Hat Directory Server and 389 Directory Server, changes to cn=config:nsslapd-rootpw result in the password value being logged in cleartext.  The audit log records an entry similar to the following:

dn: cn=config
changetype: modify
replace: nsslapd-rootpw
nsslapd-rootpw: secret

User passwords, however, are not logged verbatim but in hashed form.

Although the directory server administrator can configure the path and permissions of the audit log, by default it is mode 0600, owned by the directory server user, and is located in the directory server log directory (/var/log/dirsrv/slapd-[hostname]), which is mode 0770 and owned by the directory server user ("nobody", by default)

Comment 5 Nathan Kinder 2010-11-29 16:22:02 UTC
Created attachment 463525 [details]
Patch

Patch reviewed by richm and pushed to master.

Counting objects: 11, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 1.56 KiB, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   23e2856..d38ae06  master -> master

Comment 6 Amita Sharma 2011-05-20 13:24:34 UTC
1. time: 20110520184940
dn: cn=config
changetype: modify
replace: nsslapd-auditlog-logging-enabled
nsslapd-auditlog-logging-enabled: on
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20110520131940Z
-

time: 20110520185059
dn: cn=config
changetype: modify
replace: nsslapd-rootpw
nsslapd-rootpw: {SSHA}PATXAhi/wSSlaJABfT3EJFNuZdjfE94/PhF4FA==
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20110520132059Z

2. [root@testvm scripts]# ls -l /var/log/dirsrv/slapd-testvm/audit
-rw-------. 1 nobody nobody 522 May 20 18:51 /var/log/dirsrv/slapd-testvm/audit

3. [root@testvm scripts]# ls -l /var/log/dirsrv/
total 8
drwx------. 2 nobody nobody 4096 May 20 15:18 admin-serv
drwxrwx---. 2 nobody nobody 4096 May 20 18:52 slapd-testvm

Comment 7 Vincent Danen 2012-10-11 15:52:14 UTC
This issue should be resolved now, yes?  So we can close this bug?

Comment 8 Rich Megginson 2012-10-11 16:09:37 UTC
(In reply to comment #7)
> This issue should be resolved now, yes?  So we can close this bug?

Yes, and yes.

Comment 9 Vincent Danen 2012-10-11 17:12:36 UTC
Fantastic, thanks!