Bug 654057 - CVE-2010-4174 RHDS/389: information disclosure in audit logs
Summary: CVE-2010-4174 RHDS/389: information disclosure in audit logs
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Directory Server
Version: 1.2.7
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Nathan Kinder
QA Contact: Chandrasekar Kannan
URL:
Whiteboard: public=20101112,reported=20100820,sou...
Keywords: Security
Depends On:
Blocks: CVE-2010-3282 639035 389_1.2.8
TreeView+ depends on / blocked
 
Reported: 2010-11-16 18:17 UTC by Vincent Danen
Modified: 2015-01-04 23:44 UTC (History)
12 users (show)

(edit)
Clone Of: CVE-2010-3282
(edit)
Last Closed: 2012-10-11 17:12:36 UTC


Attachments (Terms of Use)
Patch (3.97 KB, patch)
2010-11-29 16:22 UTC, Nathan Kinder
no flags Details | Diff

Description Vincent Danen 2010-11-16 18:17:50 UTC
When audit logging is enabled on Red Hat Directory Server and 389 Directory Server, changes to cn=config:nsslapd-rootpw result in the password value being logged in cleartext.  The audit log records an entry similar to the following:

dn: cn=config
changetype: modify
replace: nsslapd-rootpw
nsslapd-rootpw: secret

User passwords, however, are not logged verbatim but in hashed form.

Although the directory server administrator can configure the path and permissions of the audit log, by default it is mode 0600, owned by the directory server user, and is located in the directory server log directory (/var/log/dirsrv/slapd-[hostname]), which is mode 0770 and owned by the directory server user ("nobody", by default)

Comment 5 Nathan Kinder 2010-11-29 16:22:02 UTC
Created attachment 463525 [details]
Patch

Patch reviewed by richm and pushed to master.

Counting objects: 11, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 1.56 KiB, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   23e2856..d38ae06  master -> master

Comment 6 Amita Sharma 2011-05-20 13:24:34 UTC
1. time: 20110520184940
dn: cn=config
changetype: modify
replace: nsslapd-auditlog-logging-enabled
nsslapd-auditlog-logging-enabled: on
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20110520131940Z
-

time: 20110520185059
dn: cn=config
changetype: modify
replace: nsslapd-rootpw
nsslapd-rootpw: {SSHA}PATXAhi/wSSlaJABfT3EJFNuZdjfE94/PhF4FA==
-
replace: modifiersname
modifiersname: cn=directory manager
-
replace: modifytimestamp
modifytimestamp: 20110520132059Z

2. [root@testvm scripts]# ls -l /var/log/dirsrv/slapd-testvm/audit
-rw-------. 1 nobody nobody 522 May 20 18:51 /var/log/dirsrv/slapd-testvm/audit

3. [root@testvm scripts]# ls -l /var/log/dirsrv/
total 8
drwx------. 2 nobody nobody 4096 May 20 15:18 admin-serv
drwxrwx---. 2 nobody nobody 4096 May 20 18:52 slapd-testvm

Comment 7 Vincent Danen 2012-10-11 15:52:14 UTC
This issue should be resolved now, yes?  So we can close this bug?

Comment 8 Rich Megginson 2012-10-11 16:09:37 UTC
(In reply to comment #7)
> This issue should be resolved now, yes?  So we can close this bug?

Yes, and yes.

Comment 9 Vincent Danen 2012-10-11 17:12:36 UTC
Fantastic, thanks!


Note You need to log in before you can comment on or make changes to this bug.