Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1488751 (CVE-2017-14159) - CVE-2017-14159 openldap: Privilege escalation via PID file manipulation
Summary: CVE-2017-14159 openldap: Privilege escalation via PID file manipulation
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-14159
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1488752
Blocks: 1785205
TreeView+ depends on / blocked
 
Reported: 2017-09-06 07:47 UTC by Andrej Nemec
Modified: 2021-02-17 01:37 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 03:24:15 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2017-09-06 07:47:16 UTC
slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill `cat /pathname`" command, as demonstrated by openldap-initscript.

This represents a minor security issue; additional factors are needed to make it exploitable.

References:

http://www.openldap.org/its/index.cgi?findid=8703

Comment 1 Andrej Nemec 2017-09-06 07:47:45 UTC
Created openldap tracking bugs for this issue:

Affects: fedora-all [bug 1488752]

Comment 3 Huzaifa S. Sidhpurwala 2019-12-20 06:01:37 UTC
As per upstream:

"If I understood you correctly, "Additional factors are needed" basically means you have to find a code execution vulnerability in slapd? At that point I think you can do much more interesting things - pretending that your user is uid 0, or in various admin groups are only the first ideas that come to mind."

The above basically implies that this bug can be used only when additional major flaws are found in the slapd binary like the ones caused by heap-based buffer overflows etc. Based on this argument, Red Hat Product Security does not consider this to be a security flaw.

Comment 4 Huzaifa S. Sidhpurwala 2019-12-20 06:01:41 UTC
Statement:

As per upstream this bug can be used only when additional major flaws are found in the slapd binary like the ones caused by heap-based buffer overflows etc. Based on this argument, Red Hat Product Security does not consider this to be a security flaw.


Note You need to log in before you can comment on or make changes to this bug.