Bug 928105 (CVE-2013-1897)
Summary: | CVE-2013-1897 389-ds: unintended information exposure when rootdse is enabled | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | jgalipea, mkosek, nhosoi, nkinder, rcritten, rmeggins, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-08-21 23:53:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 923240, 928156, 928157, 928159, 928160, 928162, 928945, 928948 | ||
Bug Blocks: | 928163 |
Description
Vincent Danen
2013-03-26 22:23:20 UTC
Note that by default, in both 389 Directory Server and FreeIPA, that 'nsslapd-anonymous-access' is not set to 'rootdse' and this would require administrative privileges to change. Steps to mitigate: Because there is a single anonymous access ACI by default that is stored in the top-level suffix entry, we can verify that exists and later that it is removed (using the suffix "dc=example,dc=com"): ------------------------------------------------------------------ [root@localhost ~]# ldapsearch -x -D "cn=directory manager" -w [password] -b "dc=example,dc=com" -s base "aci=*" aci # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope baseObject # filter: aci=* # requesting: aci # # example.com dn: dc=example,dc=com aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";) aci: (targetattr="carLicense || description || displayName || facsimileTelepho neNumber || homePhone || homePostalAddress || initials || jpegPhoto || labele dURI || mail || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddr ess || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertif icate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for commo n attributes"; allow (write) userdn="ldap:///self";) aci: (targetattr ="*")(version 3.0;acl "Directory Administrators Group";allow (all) (groupdn = "ldap:///cn=Directory Administrators, dc=example,dc=com");) # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ------------------------------------------------------------------ To remove the anonymous access ACI, you can use ldapmodify as follows: ------------------------------------------------------------------ [root@localhost ~]# ldapmodify -x -D "cn=directory manager" -w [password] dn: dc=example,dc=com changetype: modify delete: aci aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";) modifying entry "dc=example,dc=com" ------------------------------------------------------------------ Searching for the ACIs again should show that the anonymous access ACI is gone. The anonymous data access should be restricted immediately without restarting the Directory Server. Acknowledgements: This issue was discovered by Martin Kosek of Red Hat. This is fixed upstream here: http://git.fedorahosted.org/cgit/389/ds.git/commit/?h=389-ds-base-1.2.11&id=5a18c828533a670e7143327893f8171a19062286 And noted in the upstream bug tracker here: https://fedorahosted.org/389/ticket/47308 Created 389-ds-base tracking bugs for this issue Affects: fedora-all [bug 928945] Created freeipa tracking bugs for this issue Affects: fedora-all [bug 928948] For FreeIPA, the upstream ticket is here: https://fedorahosted.org/freeipa/ticket/3540 freeipa-3.1.3-4.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0742 https://rhn.redhat.com/errata/RHSA-2013-0742.html 389-ds-base-1.2.11.21-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Statement: (none) |