654057 – CVE-2010-4174 RHDS/389: information disclosure in audit logs

Bug 654057 - CVE-2010-4174 RHDS/389: information disclosure in audit logs

Summary: CVE-2010-4174 RHDS/389: information disclosure in audit logs

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	389
Classification:	Retired
Component:	Directory Server
Sub Component:
Version:	1.2.7
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Nathan Kinder
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:	public=20101112,reported=20100820,sou...
Depends On:
Blocks:	CVE-2010-3282 639035 389_1.2.8
TreeView+	depends on / blocked

Reported:	2010-11-16 18:17 UTC by Vincent Danen
Modified:	2015-01-04 23:44 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	CVE-2010-3282
Environment:
Last Closed:	2012-10-11 17:12:36 UTC
Embargoed:

Attachments	(Terms of Use)
Patch (3.97 KB, patch) 2010-11-29 16:22 UTC, Nathan Kinder	no flags	Details \| Diff
View All

Description Vincent Danen 2010-11-16 18:17:50 UTC

When audit logging is enabled on Red Hat Directory Server and 389 Directory Server, changes to cn=config:nsslapd-rootpw result in the password value being logged in cleartext.  The audit log records an entry similar to the following:

dn: cn=config
changetype: modify
replace: nsslapd-rootpw
nsslapd-rootpw: secret

User passwords, however, are not logged verbatim but in hashed form.

Although the directory server administrator can configure the path and permissions of the audit log, by default it is mode 0600, owned by the directory server user, and is located in the directory server log directory (/var/log/dirsrv/slapd-[hostname]), which is mode 0770 and owned by the directory server user ("nobody", by default)

Comment 5 Nathan Kinder 2010-11-29 16:22:02 UTC

Created attachment 463525 [details]
Patch

Patch reviewed by richm and pushed to master.

Counting objects: 11, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 1.56 KiB, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   23e2856..d38ae06  master -> master

Comment 6 Amita Sharma 2011-05-20 13:24:34 UTC

1. time: 20110520184940
dn: cn=config
changetype: modify
replace: nsslapd-auditlog-logging-enabled
nsslapd-auditlog-logging-enabled: on
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20110520131940Z
-

time: 20110520185059
dn: cn=config
changetype: modify
replace: nsslapd-rootpw
nsslapd-rootpw: {SSHA}PATXAhi/wSSlaJABfT3EJFNuZdjfE94/PhF4FA==
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20110520132059Z

2. [root@testvm scripts]# ls -l /var/log/dirsrv/slapd-testvm/audit
-rw-------. 1 nobody nobody 522 May 20 18:51 /var/log/dirsrv/slapd-testvm/audit

3. [root@testvm scripts]# ls -l /var/log/dirsrv/
total 8
drwx------. 2 nobody nobody 4096 May 20 15:18 admin-serv
drwxrwx---. 2 nobody nobody 4096 May 20 18:52 slapd-testvm

Comment 7 Vincent Danen 2012-10-11 15:52:14 UTC

This issue should be resolved now, yes?  So we can close this bug?

Comment 8 Rich Megginson 2012-10-11 16:09:37 UTC

(In reply to comment #7)
> This issue should be resolved now, yes?  So we can close this bug?

Yes, and yes.

Comment 9 Vincent Danen 2012-10-11 17:12:36 UTC

Fantastic, thanks!

Note You need to log in before you can comment on or make changes to this bug.