touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #80649
[Bug 1446809] Re: [SRU] denial of service via an LDAP search query (CVE-2012-1164, CVE-2013-4449, CVE-2015-1545)
Marc,
I tested these patches against two scenarios: 1) single node with
default configuration and phpldapadmin, 2) a two nodes scenario, 1 node
configures a relay and translucent proxy and connects to the second one
which has a default configuration. For details of each configuration
please see at the end.
Is there any specific configuration that you would like me to test?.
Best,
SCENARIO 1, this is a single node configuration running a default
configuration and phpldapadmin
#+BEGIN_SRC shell
sudo apt-get install -y slapd ldap-utils
sudo dpkg-reconfigure slapd
# Omit OpenLDAP server configuration? No
# DNS domain? ldap.example.com
# Organization name? example
# Administrator password? ubuntu
# Database backend to use? HDB
# Remove the database when slapd is purged? No
# Move old database? Yes
# Allow LDAPv2 protocol? No
sudo apt-get install -y phpldapadmin
sudo sed -i s/127.0.0.1/10.0.3.196/ /etc/phpldapadmin/config.php
sudo sed -i s/dc=example,dc.com/dc=ldap,dc=example,dc=com/ /etc/phpldapadmin/config.php
sudo service apache2 restart
cat <<EOF > /tmp/foo.ldif
dn: ou=People,dc=ldap,dc=example,dc=com
ou: People
description: All people
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=ldap,dc=example,dc=com
ou: Group
description: All groups
objectClass: top
objectClass: organizationalUnit
dn: uid=user1,ou=People,dc=ldap,dc=example,dc=com
uid: user1
cn: user1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {CRYPT}Az/RBEIomiu0c
shadowLastChange: 15192
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/users/user1
dn: cn=user1,ou=Group,dc=ldap,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: user1
userPassword: {crypt}x
gidNumber: 1001
EOF
ldapadd -x -w ubuntu -D "cn=admin,dc=ldap,dc=example,dc=com" -f /tmp/foo.ldif
ldapsearch -x -w ubuntu -D "cn=admin,dc=ldap,dc=example,dc=com" -b dc=ldap,dc=example,dc=com | tail -n1 | egrep -e '# numEntries: 6$' || echo "ERROR adding ldif"
sensible-browser http://$IP/phpldapadmin
# login and check entries created with phpldapadmin
#+END_SRC
SCENARIO 2: this is a 2 nodes setup, one of the nodes configures a relay and a
translucent proxy.
node 1 config:
#+BEGIN_SRC shell
echo 10.0.3.240 ldap.example.com | sudo tee -a /etc/hosts # IP of node number 2
sudo apt-get install -y slapd ldap-utils
cat <<EOF > /etc/ldap/slapd.conf
pidfile /var/run/slapd.pid
TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt
modulepath /usr/lib/ldap
moduleload back_hdb.la
moduleload back_relay.la
moduleload back_ldap.la
moduleload rwm.la
moduleload translucent.la
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/openldap.schema
access to attrs=userPassword by * auth
access to * by * read
backend hdb
backend relay
database hdb
directory /var/lib/ldap
suffix "dc=foo,dc=example,dc=com"
rootdn "cn=admin,dc=foo,dc=example,dc=com"
rootpw ubuntu
index objectClass eq
database relay
suffix "dc=example,dc=com"
overlay rwm
rwm-suffixmassage "dc=foo,dc=example,dc=com"
overlay translucent
uri ldap://ldap.example.com
EOF
sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d
sudo chown -R openldap: /etc/ldap/slapd.d
sudo touch /var/run/slapd.pid
sudo chown openldap: /var/run/slapd.pid
sudo service slapd restart
#+END_SRC
node 2 (ldap.example.com) configuration:
#+BEGIN_SRC shell
sudo apt-get install -y slapd ldap-utils
# Omit OpenLDAP server configuration? No
# DNS domain? example.com
# Organization name? example
# Administrator password? ubuntu
# Database backend to use? HDB
# Remove the database when slapd is purged? No
# Move old database? Yes
# Allow LDAPv2 protocol? No
sudo service slapd restart
cat <<EOF > /tmp/enable-debug
# config
dn: cn=config
changetype: modify
replace:olcLogLevel
olcLogLevel: 7
EOF
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/enable-debug
# create a few records
cat <<EOF > /tmp/foo.ldif
dn: ou=People,dc=example,dc=com
ou: People
description: All people
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com
ou: Group
description: All groups
objectClass: top
objectClass: organizationalUnit
dn: uid=user1,ou=People,dc=example,dc=com
uid: user1
cn: user1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {CRYPT}Az/RBEIomiu0c
shadowLastChange: 15192
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/users/user1
dn: cn=user1,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: user1
userPassword: {crypt}x
gidNumber: 1001
EOF
ldapadd -x -w ubuntu -D "cn=admin,dc=example,dc=com" -f /tmp/foo.ldif
#+END_SRC
Run on node 1 to check the relay is OK
#+BEGIN_SRC shell
ldapsearch -x -w ubuntu -D "cn=admin,dc=foo,dc=example,dc=com" -b dc=example,dc=com | tail -n1 | egrep -e '# numEntries: 6$' || echo "ERROR adding ldif"
#+END_SRC
** Branch linked: lp:~freyes/openldap/lp1446809
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1446809
Title:
[SRU] denial of service via an LDAP search query (CVE-2012-1164,
CVE-2013-4449, CVE-2015-1545)
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Precise:
Triaged
Status in openldap source package in Trusty:
New
Status in openldap source package in Utopic:
New
Status in openldap source package in Vivid:
New
Status in openldap package in Debian:
Fix Released
Bug description:
[Impact]
* CVE-2012-1164:
- slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned.
- Trusty ships 2.4.31 which comes with a fix for this.
* CVE-2013-4449
- The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search.
- This bug affects all the series (precise, trusty, utopic, vivid and wily)
* CVE-2015-1545
- The deref_parseCtrl function in servers/slapd/overlays/deref.c in OpenLDAP 2.4.13 through 2.4.40 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an empty attribute list in a deref control in a search request.
- This bug affects all the series (precise, trusty, utopic, vivid and wily)
[Regression Potential]
* this set of patches adds validations to avoid segfaults, so no
regression is expected.
[Other Info]
* CVE-2012-1164:
- Upstream bug report http://www.openldap.org/its/index.cgi/Software%2520Bugs?id=7143
- http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1164.html
- Patches backported:
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=ef2f5263de8802794e528cc2648ecfca369302ae (p1)
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=430256fafb85028443d7964a5ab1f4bbf8b2db38 (p2)
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=463c1fa25d45e393dc1f1ea235286f79e872fad0 (p3)
* CVE-2013-4449
- Upstream bug report http://www.openldap.org/its/index.cgi/Incoming?id=7723
- Patches backported:
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=924389d9dd9dbb6ffe5db6c0fc65ecfe6814a1af
* CVE-2015-1545
- Upstream bug report http://www.openldap.org/its/?findid=8027
- Patches backported:
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=7a5a98577a0481d864ca7fe05b9b32274d4d1fb5
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1446809/+subscriptions
References
