A flaw was found in the way Red Hat Directory Server performed authorization of modrdn operations. An unauthenticated attacker able to issue an ldapmodrdn call to the directory server could use this flaw to perform unauthorized modifications of entries in the directory server.
An access control bypass flaw was found in modrdn. In particular if a user has a rdn like uid=username, then the user can change its own rdn to any value that is a superstring of the current name bypassing access control.
This issue could be reproduced by the following:
ldapmodrnd -Y GSSAPI -r uid=testuser,cn=users,cn=accounts,dc=test,dc=ipa uid=testuser_extended_without_permission
The above succeeds and renames the user.
No authentication whatsoever is necessary. An anonymous user can completely hose a server (if not worse) by just renaming any entry it pleases.
If ACIs are employed to hide entries and those entries are targeted by
name then it is also possible to reveal those contents by renaming the
entry and falling off the ACI protection.
This issue was discovered by Simo Sorce of Red Hat.
This issue does not affect the version of 389-ds-base package as shipped with Red Hat Enterprise Linux 6.
I think Noriko is better suited to answer questions about embargo lifting.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2015:0895 https://rhn.redhat.com/errata/RHSA-2015-0895.html
Created 389-ds-base tracking bugs for this issue:
Affects: fedora-all [bug 1216203]