Bug 1076530 (CVE-2017-15134)

Summary: VUL-0: CVE-2017-15134 CVE-2017-15135: 389-ds: two flaws
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: William Brown <william.brown>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, dakechi, william.brown
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:NVD:CVE-2017-15134:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2017-15135:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv3:RedHat:CVE-2016-5405:4.6:(AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L) CVSSv3:RedHat:CVE-2017-15134:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2017-15135:4.6:(AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L) CVSSv2:NVD:CVE-2016-5405:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2017-15134:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2017-15135:4.3:(AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:RedHat:CVE-2016-5405:2.6:(AV:N/AC:H/Au:N/C:P/I:N/A:N) CVSSv2:SUSE:CVE-2016-5405:2.6:(AV:N/AC:H/Au:N/C:P/I:N/A:N) CVSSv3:NVD:CVE-2016-5405:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2016-5405:4.6:(AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L) CVSSv3:RedHat:CVE-2016-5405:6.8:(AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) CVSSv3:RedHat:CVE-2017-15134:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2017-15135:4.6:(AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L) CVSSv3:NVD:CVE-2017-15134:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:NVD:CVE-2017-15135:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2018-01-18 10:04:18 UTC 
embargoed via distros

CRD: 2018-01-22

Hi,

Here is a notification about two vulnerabilities in the 389-ds-base
package (389 Directory Server).

NOTE: We are planning to make these flaws public on 22-January-2018. If
this date changes, we will inform the list.

Patches to fix both these flaws are attached to this email.

I am not subscribed to this list. So please CC me if you have some
questions or comments for me.


CVE-2017-15134
--------------

Remote DoS via search filters in slapi_filter_sprintf in slapd/util.c

A stack buffer overflow flaw was found in the way 389-ds-base handled
certain LDAP search filters. A remote, unauthenticated attacker could
potentially use this flaw to make ns-slapd crash via a specially crafted
LDAP request, thus resulting in denial of service.

CVSSv3: 7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

1. The crash happens at the following line in 389-ds-base-1.3.6.1-21.el7_4.x86_64,

filter_stuff_func (..., slen=32768) at ldap/servers/slapd/util.c:282,
which is memcpy(ctx->attr, val, slen).

The ctx->attr storage resides on the caller's stack frame.

char attr[ATTRSIZE]; // ATTRSIZE => 256

2. Both filter_stuff_func and slapi_filter_sprintf functions are
protected by SSP ON RHEL 7.4.

Overall, this seems like a stack overflow bug which leads to DoS (server
crash).


CVE-2017-15135
--------------

Authentication bypass due to lack of size check in slapi_ct_memcmp
function in ch_malloc.c

It was found that 389-ds-base did not always handle internal hash
comparison operations correctly during the authentication process. A
remote, unauthenticated attacker could potentially use this flaw to
bypass the authentication process under very rare and specific
circumstances.

This flaw was introduced by the CVE-2016-5405 fix.

CVSSv3: 4.6/CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

Thanks,
Dhiru
Comment 4 Marcus Meissner 2018-01-25 12:06:36 UTC 
is public now.
Comment 9 William Brown 2019-04-16 02:05:33 UTC 
An update to 389-ds source to 1.4.0.22 is recommended to resolve this and many other issues.
Comment 10 Swamp Workflow Management 2019-05-10 19:21:10 UTC 
SUSE-SU-2019:1207-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1076530,1096368,1105606,1106699
CVE References: CVE-2017-15134,CVE-2017-15135,CVE-2018-10850,CVE-2018-10935,CVE-2018-14624
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    389-ds-1.4.0.3-4.7.52
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    389-ds-1.4.0.3-4.7.52

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2019-05-15 19:09:00 UTC 
openSUSE-SU-2019:1397-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1076530,1096368,1105606,1106699
CVE References: CVE-2017-15134,CVE-2017-15135,CVE-2018-10850,CVE-2018-10935,CVE-2018-14624
Sources used:
openSUSE Leap 15.0 (src):    389-ds-1.4.0.3-lp150.3.3.1
Comment 12 Marcus Meissner 2019-05-16 09:39:40 UTC 
done
Comment 13 Swamp Workflow Management 2019-07-01 16:17:22 UTC 
SUSE-SU-2019:1207-2: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1076530,1096368,1105606,1106699
CVE References: CVE-2017-15134,CVE-2017-15135,CVE-2018-10850,CVE-2018-10935,CVE-2018-14624
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    389-ds-1.4.0.3-4.7.52
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    389-ds-1.4.0.3-4.7.52

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-04-11 22:50:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1076530) was mentioned in
https://build.opensuse.org/request/show/793266 15.1 / 389-ds