[SRU] denial of service via an LDAP search query (CVE-2012-1164, CVE-2013-4449, CVE-2015-1545)

Bug #1446809 reported by Felipe Reyes on 2015-04-21
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Debian)
Fix Released
Unknown
openldap (Ubuntu)
High
Felipe Reyes
Precise
High
Felipe Reyes
Trusty
Undecided
Felipe Reyes
Utopic
Undecided
Felipe Reyes
Vivid
Undecided
Felipe Reyes

Bug Description

[Impact]

* CVE-2012-1164:
  - slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned.
  - Trusty ships 2.4.31 which comes with a fix for this.

* CVE-2013-4449
  - The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search.
  - This bug affects all the series (precise, trusty, utopic, vivid and wily)

* CVE-2015-1545
  - The deref_parseCtrl function in servers/slapd/overlays/deref.c in OpenLDAP 2.4.13 through 2.4.40 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an empty attribute list in a deref control in a search request.
  - This bug affects all the series (precise, trusty, utopic, vivid and wily)

[Regression Potential]

* this set of patches adds validations to avoid segfaults, so no regression is expected.

[Other Info]

* CVE-2012-1164:
  - Upstream bug report http://www.openldap.org/its/index.cgi/Software%2520Bugs?id=7143
  - http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-1164.html
  - Patches backported:
   - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=ef2f5263de8802794e528cc2648ecfca369302ae (p1)
    - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=430256fafb85028443d7964a5ab1f4bbf8b2db38 (p2)
    - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=463c1fa25d45e393dc1f1ea235286f79e872fad0 (p3)

* CVE-2013-4449
  - Upstream bug report http://www.openldap.org/its/index.cgi/Incoming?id=7723
  - Patches backported:
    - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=924389d9dd9dbb6ffe5db6c0fc65ecfe6814a1af

* CVE-2015-1545
  - Upstream bug report http://www.openldap.org/its/?findid=8027
  - Patches backported:
    - http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=7a5a98577a0481d864ca7fe05b9b32274d4d1fb5

Tags: cts Edit Tag help
Felipe Reyes (freyes) on 2015-04-21
Changed in openldap (Ubuntu):
assignee: nobody → Felipe Reyes (freyes)
Changed in openldap (Debian):
status: Unknown → Fix Released
Felipe Reyes (freyes) on 2015-05-06
description: updated
Felipe Reyes (freyes) on 2015-05-06
summary: - denial of service via an LDAP search query with attrsOnly set to true
- (CVE-2012-1164)
+ [SRU] denial of service via an LDAP search query with attrsOnly set to
+ true (CVE-2012-1164)
Felipe Reyes (freyes) on 2015-05-06
description: updated

The attachment "lp1446809_precise.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Felipe Reyes (freyes) on 2015-05-06
tags: removed: patch
Sebastien Bacher (seb128) wrote :

Thanks, that seems fixed in the current serie, so closing that part and accepting for precise. Since the issue has a CVE replacing the sponsors by the security-team sponsors

Changed in openldap (Ubuntu):
status: New → Fix Released
importance: Undecided → High
Changed in openldap (Ubuntu Precise):
status: New → Triaged
importance: Undecided → High
Felipe Reyes (freyes) wrote :

Here I'm attaching a new version of the patch for precise that includes fixes for CVE-2012-1164, CVE-2013-4449 and CVE-2015-1545

Pending to add patches to fix CVE-2013-4449 and CVE-2015-1545 in trusty, utopic, vivid and wily.

description: updated
Felipe Reyes (freyes) wrote :

Patch for trusty to fix CVE-2013-4449 and CVE-2015-1545

Felipe Reyes (freyes) wrote :

Patch for utopic to fix CVE-2013-4449 and CVE-2015-1545

Felipe Reyes (freyes) wrote :

Patch for vivid to fix CVE-2013-4449 and CVE-2015-1545

Hello,

On Tue, May 19, 2015 at 07:25:06PM -0000, Felipe Reyes wrote:
>Here I'm attaching a new version of the patch for precise that includes
>fixes for CVE-2012-1164, CVE-2013-4449 and CVE-2015-1545

The precise debdiff adds d/p/0001-ITS-7723-fix-reference-counting.patch
which is the same as CVE-2013-4449.patch but not used in d/p/series.

Thanks for working on these fixes.

Felipe Reyes (freyes) on 2015-05-19
summary: - [SRU] denial of service via an LDAP search query with attrsOnly set to
- true (CVE-2012-1164)
+ [SRU] denial of service via an LDAP search query (CVE-2012-1164,
+ CVE-2013-4449, CVE-2015-1545)
Felipe Reyes (freyes) wrote :

On Tue, 19 May 2015 19:56:07 -0000
Ryan Tandy <email address hidden> wrote:

> The precise debdiff adds
> d/p/0001-ITS-7723-fix-reference-counting.patch which is the same as
> CVE-2013-4449.patch but not used in d/p/series.
Right, my bad, a leftover of an import I dismissed. Do you want me to
reupload the patch?

Best,

--
Felipe Reyes
Software Sustaining Engineer @ Canonical
STS Engineering Team
# Email: <email address hidden> (GPG:0x9B1FFF39)
# Phone: +56 9 7640 7887
# Launchpad: ~freyes | IRC: freyes

Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs, I've uploaded them for building. (I removed the extra patch, and changed the pocket to -security).

What testing did you perform on these?

Felipe Reyes (freyes) wrote :
Download full text (5.2 KiB)

Marc,

I tested these patches against two scenarios: 1) single node with default configuration and phpldapadmin, 2) a two nodes scenario, 1 node configures a relay and translucent proxy and connects to the second one which has a default configuration. For details of each configuration please see at the end.

Is there any specific configuration that you would like me to test?.

Best,

SCENARIO 1, this is a single node configuration running a default
configuration and phpldapadmin

#+BEGIN_SRC shell
sudo apt-get install -y slapd ldap-utils
sudo dpkg-reconfigure slapd
# Omit OpenLDAP server configuration? No
# DNS domain? ldap.example.com
# Organization name? example
# Administrator password? ubuntu
# Database backend to use? HDB
# Remove the database when slapd is purged? No
# Move old database? Yes
# Allow LDAPv2 protocol? No
sudo apt-get install -y phpldapadmin
sudo sed -i s/127.0.0.1/10.0.3.196/ /etc/phpldapadmin/config.php
sudo sed -i s/dc=example,dc.com/dc=ldap,dc=example,dc=com/ /etc/phpldapadmin/config.php
sudo service apache2 restart
cat <<EOF > /tmp/foo.ldif
dn: ou=People,dc=ldap,dc=example,dc=com
ou: People
description: All people
objectClass: top
objectClass: organizationalUnit

dn: ou=Group,dc=ldap,dc=example,dc=com
ou: Group
description: All groups
objectClass: top
objectClass: organizationalUnit

dn: uid=user1,ou=People,dc=ldap,dc=example,dc=com
uid: user1
cn: user1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {CRYPT}Az/RBEIomiu0c
shadowLastChange: 15192
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/users/user1

dn: cn=user1,ou=Group,dc=ldap,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: user1
userPassword: {crypt}x
gidNumber: 1001
EOF
ldapadd -x -w ubuntu -D "cn=admin,dc=ldap,dc=example,dc=com" -f /tmp/foo.ldif
ldapsearch -x -w ubuntu -D "cn=admin,dc=ldap,dc=example,dc=com" -b dc=ldap,dc=example,dc=com | tail -n1 | egrep -e '# numEntries: 6$' || echo "ERROR adding ldif"

sensible-browser http://$IP/phpldapadmin
# login and check entries created with phpldapadmin
#+END_SRC

SCENARIO 2: this is a 2 nodes setup, one of the nodes configures a relay and a
translucent proxy.

node 1 config:

#+BEGIN_SRC shell
echo 10.0.3.240 ldap.example.com | sudo tee -a /etc/hosts # IP of node number 2
sudo apt-get install -y slapd ldap-utils
cat <<EOF > /etc/ldap/slapd.conf
pidfile /var/run/slapd.pid
TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt
modulepath /usr/lib/ldap
moduleload back_hdb.la
moduleload back_relay.la
moduleload back_ldap.la
moduleload rwm.la
moduleload translucent.la
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/openldap.schema
access to attrs=userPassword by * auth
access to * by * read

backend hdb
backend relay

database hdb
directory /var/lib/ldap
suffix "dc=foo,dc=example,dc=com"
rootdn "c...

Read more...

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.31-1+nmu2ubuntu11.1

---------------
openldap (2.4.31-1+nmu2ubuntu11.1) utopic-security; urgency=medium

  * SECURITY UPDATE: fix rwm overlay reference counting. (LP: #1446809)
    - debian/patches/CVE-2013-4449.patch: fix reference counting
    - CVE-2013-4449
  * SECURITY UPDATE: fix NULL pointer dereference in deref_parseCtrl()
    - debian/patches/CVE-2015-1545.patch: require non-empty AttributeList
    - CVE-2015-1545

 -- Felipe Reyes <email address hidden> Tue, 19 May 2015 12:59:29 -0300

Changed in openldap (Ubuntu Utopic):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.31-1+nmu2ubuntu12.1

---------------
openldap (2.4.31-1+nmu2ubuntu12.1) vivid-security; urgency=medium

  * SECURITY UPDATE: fix rwm overlay reference counting. (LP: #1446809)
    - debian/patches/CVE-2013-4449.patch: fix reference counting
    - CVE-2013-4449
  * SECURITY UPDATE: fix NULL pointer dereference in deref_parseCtrl()
    - debian/patches/CVE-2015-1545.patch: require non-empty AttributeList
    - CVE-2015-1545

 -- Felipe Reyes <email address hidden> Tue, 19 May 2015 12:58:25 -0300

Changed in openldap (Ubuntu Vivid):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.28-1.1ubuntu4.5

---------------
openldap (2.4.28-1.1ubuntu4.5) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via an LDAP search query
    with attrsOnly set to true. (LP: #1446809)
    - debian/patches/CVE-2012-1164.1.patch: don't leave empty slots in
      normalized attr values
    - debian/patches/CVE-2012-1164.2.patch: add FIXME comment, note that
      current patch is not ideal
    - debian/patches/CVE-2012-1164.3.patch: fix attr_dup2 when no values are
      present (attrsOnly = TRUE)
    - CVE-2012-1164
  * SECURITY UPDATE: fix rwm overlay reference counting
    - debian/patches/CVE-2013-4449.patch: fix reference counting
    - CVE-2013-4449
  * SECURITY UPDATE: fix NULL pointer dereference in deref_parseCtrl()
    - debian/patches/CVE-2015-1545.patch: require non-empty AttributeList
    - CVE-2015-1545

 -- Felipe Reyes <email address hidden> Tue, 19 May 2015 11:53:17 -0300

Changed in openldap (Ubuntu Precise):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.31-1+nmu2ubuntu8.1

---------------
openldap (2.4.31-1+nmu2ubuntu8.1) trusty-security; urgency=medium

  * SECURITY UPDATE: fix rwm overlay reference counting. (LP: #1446809)
    - debian/patches/CVE-2013-4449.patch: fix reference counting
    - CVE-2013-4449
  * SECURITY UPDATE: fix NULL pointer dereference in deref_parseCtrl()
    - debian/patches/CVE-2015-1545.patch: require non-empty AttributeList
    - CVE-2015-1545

 -- Felipe Reyes <email address hidden> Tue, 19 May 2015 13:00:21 -0300

Changed in openldap (Ubuntu Trusty):
status: New → Fix Released
Felipe Reyes (freyes) on 2015-05-29
Changed in openldap (Ubuntu Precise):
assignee: nobody → Felipe Reyes (freyes)
Changed in openldap (Ubuntu Trusty):
assignee: nobody → Felipe Reyes (freyes)
Changed in openldap (Ubuntu Utopic):
assignee: nobody → Felipe Reyes (freyes)
Changed in openldap (Ubuntu Vivid):
assignee: nobody → Felipe Reyes (freyes)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.