453444 – (CVE-2008-2952) CVE-2008-2952 OpenLDAP denial-of-service flaw in ASN.1 decoder

Bug 453444 (CVE-2008-2952) - CVE-2008-2952 OpenLDAP denial-of-service flaw in ASN.1 decoder

Summary: CVE-2008-2952 OpenLDAP denial-of-service flaw in ASN.1 decoder

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-2952
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://www.openldap.org/its/index.cgi...
Whiteboard:
Depends On:	453637 453638 453639 453640 453726 453727 453728
Blocks:
TreeView+	depends on / blocked

Reported:	2008-06-30 17:39 UTC by Josh Bressers
Modified:	2019-09-29 12:25 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-07-21 10:15:35 UTC
Embargoed:

Attachments	(Terms of Use)
Patch from upstream CVE (1.12 KB, patch) 2008-06-30 17:53 UTC, Josh Bressers	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:0583	0	normal	SHIPPED_LIVE	Important: openldap security update	2008-07-09 14:52:12 UTC

Description Josh Bressers 2008-06-30 17:39:52 UTC

A DoS flaw was reported to the OpenLDAP BTS:
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580;selectid=5580

The bug states:

This vulnerability allows remote attackers to deny services on vulnerable
installations of OpenLDAP. Authentication is not required to exploit this
vulnerability.

The specific flaw exists in the decoding of ASN.1 BER network datagrams. When
the size of a BerElement is specified incorrectly, the application will trigger
an assert(), leading to abnormal program termination.
Tech Details: 	

The code exhibiting the problem is located in the function ber_get_next()
function in "libraries/liblber/io.c" .

The function fails to handle properly BER encoding of an element (tag + length +
content) that contains:

* exactly 4 bytes long "multi-byte tag"
* exactly 4 bytes long "multi-byte size"

The total size of the resulting encoding equals to the size of the BerElement
structure buffer plus one byte. This causes the function returns indicating that
more data are needed, but leaves the read-pointer pointing right at the end of
the buffer, which is not permitted.

Subsequent calls to the function result in an assertion failure:

assert( 0 ); /* ber structure is messed up ?*/

Example Exploitation:

  > slapd -h ldap:// -d511 &
  ...
  > xxd packet
  0000000: ffff ff00 8441 4243 44                   .....ABCD
  > nc localhost 389 < packet

Comment 1 Josh Bressers 2008-06-30 17:53:21 UTC

Created attachment 310609 [details]
Patch from upstream CVE

This patch came from here:
http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=1.120&r2=1.121&hideattic=1&sortbydate=0

Comment 2 Josh Bressers 2008-06-30 18:48:49 UTC

The testcase only crashes the Red Hat Enterprise Linux 4 and 5 versions of
openldap.  The 2.1 and 3 versions seem to handle this just fine.

Comment 5 Tomas Hoger 2008-07-02 08:43:41 UTC

Original upstream patch was reported to be broken:

http://www.openwall.com/lists/oss-security/2008/07/02/2

Different patch applied upstream:

http://www.openldap.org/devel/cvsweb.cgi/libraries/liblber/io.c.diff?r1=1.121&r2=1.122&f=h

Comment 6 Fedora Update System 2008-07-03 03:15:29 UTC

openldap-2.3.39-4.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2008-07-03 03:17:16 UTC

openldap-2.4.8-6.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Red Hat Product Security 2008-07-21 10:15:35 UTC

This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0583.html

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6029
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-6062

Comment 10 Tomas Hoger 2008-08-15 06:55:32 UTC

ZDI advisory related to this issue:

http://marc.info/?l=full-disclosure&m=121873649307918&w=4

Note You need to log in before you can comment on or make changes to this bug.