Bug 1654059 - CVE-2019-10224 389-ds-base: using dscreate in verbose mode results in information disclosure [rhel-8]
Summary: CVE-2019-10224 389-ds-base: using dscreate in verbose mode results in informa...
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2020-05-25
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: 389-ds-base
Version: 8.0
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: rc
: 8.1
Assignee: mreynolds
QA Contact: RHDS QE
URL:
Whiteboard:
: 1656718 (view as bug list)
Depends On:
Blocks: CVE-2019-10224
TreeView+ depends on / blocked
 
Reported: 2018-11-27 23:48 UTC by Viktor Ashirov
Modified: 2019-11-05 21:01 UTC (History)
11 users (show)

Fixed In Version: 389-ds-1.4-8010020190526145819.eb48df33
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 21:00:18 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3401 None None None 2019-11-05 21:01:32 UTC

Description Viktor Ashirov 2018-11-27 23:48:53 UTC
Description of problem:
When dscreate is executed in verbose mode, it prints Directory Manager's password to stderr. The same happens with dsconf when I change the password.

Version-Release number of selected component (if applicable):
389-ds-base-1.4.0.19-2.

How reproducible:
always

Steps to Reproduce:
1. dscreate -v interactive
2. dsconf -v localhost directory_manager password_change

Actual results:

# dscreate -v interactive
...
DEBUG: cn=config set REPLACE: ('nsslapd-rootpw', 'Directory_Manager_Password')


# dsconf -v localhost directory_manager password_change
...
Enter new directory manager password : 
CONFIRM - Enter new directory manager password : 
DEBUG: cn=config set REPLACE: ('nsslapd-rootpw', 'new_password')

Expected results:
Actual value should not be printed in the debug logs. Python logging module supports filters that should be used to redact sensitive information from the logs

Comment 1 Viktor Ashirov 2018-12-06 13:15:02 UTC
*** Bug 1656718 has been marked as a duplicate of this bug. ***

Comment 6 Cedric Buissart 🐶 2019-05-31 08:58:26 UTC
A change was made (new impact, public date, or CSAw status) to the security issue(s) blocked by this tracker, resulting in a new SLA deadline. This bug must now be resolved by 27-Nov-2019.

Refer to this bug's Description for information about how to resolve this bug.

Comment 7 Cedric Buissart 🐶 2019-05-31 09:46:12 UTC
A change was made (new impact, public date, or CSAw status) to the security issue(s) blocked by this tracker, resulting in a new SLA deadline. This bug must now be resolved by 25-May-2020.

Refer to this bug's Description for information about how to resolve this bug.

Comment 8 Viktor Ashirov 2019-06-28 12:44:31 UTC
Build tested: 389-ds-base-1.4.1.3-2.module+el8.1.0+3395+60a28832.x86_64

I see that the following attributes are correctly replaced during modification: 

 44 # Attributes that should be masked from logging output
 45 SENSITIVE_ATTRS = ['userpassword',
 46                    'nsslapd-rootpw',
 47                    'nsds5replicacredentials',
 48                    'nsmultiplexorcredentials']
 49 


DEBUG: cn=config set REPLACE: ('nsslapd-rootpw', '********')

Lib389 unit tests pass:

[root@server-rhel8 lib389]# py.test-3 -v tests/utils_test.py 
============================================================================ test session starts ============================================================================
platform linux -- Python 3.6.8, pytest-3.4.2, py-1.5.3, pluggy-0.6.0 -- /usr/libexec/platform-python
cachedir: ../.pytest_cache
rootdir: /workspace/ds/src/lib389, inifile:
collected 10 items                                                                                                                                                          

tests/utils_test.py::test_normalizeDN PASSED                                                                                                                          [ 10%]
tests/utils_test.py::test_escapeDNValue PASSED                                                                                                                        [ 20%]
tests/utils_test.py::test_escapeDNFiltValue PASSED                                                                                                                    [ 30%]
tests/utils_test.py::test_isLocalHost PASSED                                                                                                                          [ 40%]
tests/utils_test.py::test_update_newhost_with_fqdn PASSED                                                                                                             [ 50%]
tests/utils_test.py::test_formatInfData PASSED                                                                                                                        [ 60%]
tests/utils_test.py::test_formatInfData_withadmin PASSED                                                                                                              [ 70%]
tests/utils_test.py::test_formatInfData_withconfigserver PASSED                                                                                                       [ 80%]
tests/utils_test.py::test_get_log_data[data0] PASSED                                                                                                                  [ 90%]
tests/utils_test.py::test_get_log_data[data1] PASSED                                                                                                                  [100%]

========================================================================= 10 passed in 0.26 seconds =========================================================================



Marking as VERIFIED.

Comment 11 errata-xmlrpc 2019-11-05 21:00:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3401


Note You need to log in before you can comment on or make changes to this bug.