Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1209573 - (CVE-2015-1854) CVE-2015-1854 389-ds-base: access control bypass with modrdn
CVE-2015-1854 389-ds-base: access control bypass with modrdn
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
Viktor Ashirov
impact=important,public=20150428,repo...
: Security
Depends On: 1212894 1212895 1216203
Blocks: 1209577
  Show dependency treegraph
 
Reported: 2015-04-07 12:48 EDT by Vasyl Kaigorodov
Modified: 2015-04-28 14:31 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way Red Hat Directory Server performed authorization of modrdn operations. An unauthenticated attacker able to issue an ldapmodrdn call to the directory server could use this flaw to perform unauthorized modifications of entries in the directory server.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-04-28 14:31:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0895 normal SHIPPED_LIVE Important: 389-ds-base security update 2015-04-28 18:17:22 EDT

  None (edit)
Description Vasyl Kaigorodov 2015-04-07 12:48:51 EDT 
An access control bypass flaw was found in modrdn. In particular if a user has a rdn like uid=username, then the user can change its own rdn to any value that is a superstring of the current name bypassing access control.

This issue could be reproduced by the following:

ldapmodrnd -Y GSSAPI -r uid=testuser,cn=users,cn=accounts,dc=test,dc=ipa uid=testuser_extended_without_permission

The above succeeds and renames the user.

No authentication whatsoever is necessary. An anonymous user can completely hose a server (if not worse) by just renaming any entry it pleases.

If ACIs are employed to hide entries and those entries are targeted by
name then it is also possible to reveal those contents by renaming the
entry and falling off the ACI protection.


Acknowledgements:

This issue was discovered by Simo Sorce of Red Hat.
Comment 10 Huzaifa S. Sidhpurwala 2015-04-24 03:52:16 EDT 
Statement:

This issue does not affect the version of 389-ds-base package as shipped with Red Hat Enterprise Linux 6.
Comment 11 Simo Sorce 2015-04-24 14:00:51 EDT 
I think Noriko is better suited to answer questions about embargo lifting.
Comment 15 errata-xmlrpc 2015-04-28 14:18:29 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0895 https://rhn.redhat.com/errata/RHSA-2015-0895.html
Comment 16 Ján Rusnačko 2015-04-28 14:26:50 EDT 
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1216203]
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.