Bug 1167858 (CVE-2014-8105) - CVE-2014-8105 389-ds-base: information disclosure through 'cn=changelog' subtree
Summary: CVE-2014-8105 389-ds-base: information disclosure through 'cn=changelog' subtree
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-8105
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1167877 1167878 1168150 1168151 1180629 1199675
Blocks: 1168154
TreeView+ depends on / blocked
 
Reported: 2014-11-25 14:18 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:24 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An information disclosure flaw was found in the way the 389 Directory Server stored information in the Changelog that is exposed via the 'cn=changelog' LDAP sub-tree. An unauthenticated user could in certain cases use this flaw to read data from the Changelog, which could include sensitive information such as plain-text passwords.
Clone Of:
Environment:
Last Closed: 2015-03-05 20:10:54 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0416 normal SHIPPED_LIVE Important: 389-ds-base security, bug fix, and enhancement update 2015-03-05 14:26:33 UTC
Red Hat Product Errata RHSA-2015:0628 normal SHIPPED_LIVE Important: 389-ds-base security, bug fix, and enhancement update 2015-03-05 18:50:53 UTC

Description Vasyl Kaigorodov 2014-11-25 14:18:13 UTC
Petr Spacek from Red Hat found that FreeIPA versions 4.0+ are affected by information disclosure bug which allows
unauthenticated attacker to read all data (including plain-text passwords and
some types of keys) which were stored to the LDAP database in last two days
prior the attack.

For example, if a user changed his password on 2014-11-25 then anyone can
retrieve his plain-text password up to 2014-11-27. This bug affects FreeIPA
installation process too so password for admin user is also available.

Original report below:
...
Products affected
=================
RHEL 7.1 (including High-touch beta)
Fedora 21
Older versions are not affected.

Cause
=====
389 DS implements RFC 4533 protocol which internally uses 'changelog'
mechanism to detect which entries were changed from the last synchronization.
Changelog basically logs all writes to LDAP database in plain-text. FreeIPA
configures the changelog plug-in to store data for two days.

This changelog is exposed as LDAP sub-tree 'cn=changelog' and it has default
Access Control Instruction set to:
(target ="ldap:///cn=changelog")(targetattr != "aci")(version 3.0; acl
"changelog base"; allow( read,search, compare ) userdn ="ldap:///anyone";)

According to [1] the 'userdn ="ldap:///anyone"' allows access to
unauthenticated (anonymous) users.

Mitigation
==========
This needs to be consulted with 389 DS team.

IMHO the best approach would be to eliminate changelog or significantly limit
amount of data stored into it.

Alternative/quick&dirty approach would be to tighten the ACI. I have tried to
change "anyone" to "nobody" and it seems that no user is able to read
cn=changelog directly but RFC 4533 protocol still seems to work. I have tried
to remove the ACI completely and it yielded the same result - even "admin"
user was not able to read the changelog.

Comment 4 Vasyl Kaigorodov 2014-11-26 13:54:39 UTC
Acknowledgement:

This issue was discovered by Petr Špaček of the Red Hat Identity Management Engineering Team.

Comment 6 errata-xmlrpc 2015-03-05 09:39:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0416 https://rhn.redhat.com/errata/RHSA-2015-0416.html

Comment 8 errata-xmlrpc 2015-03-05 14:10:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:0628 https://rhn.redhat.com/errata/RHSA-2015-0628.html

Comment 9 Kurt Seifried 2015-03-07 00:11:11 UTC
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1199675]


Note You need to log in before you can comment on or make changes to this bug.