Vulnerabilities > CVE-2015-1827 - Data Processing Errors vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

The get_user_grouplist function in the extdom plug-in in FreeIPA before 4.1.4 does not properly reallocate memory when processing user accounts, which allows remote attackers to cause a denial of service (crash) via a group list request for a user that belongs to a large number of groups.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • XML Nested Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
  • XML Oversized Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
  • XML Client-Side Attack
    Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
  • XML Parser Attack
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-0728.NASL
    descriptionUpdated ipa and slapi-nis packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. It integrates components of the Red Hat Directory Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides web browser and command-line interfaces. Its administration tools allow an administrator to quickly install, set up, and administer a group of domain controllers to meet the authentication and identity management requirements of large-scale Linux and UNIX deployments. The ipa component provides centrally managed Identity, Policy, and Audit. The slapi-nis component provides NIS Server and Schema Compatibility plug-ins for Directory Server. It was discovered that the IPA extdom Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for a list of groups for a user that belongs to a large number of groups would cause a Directory Server to crash. (CVE-2015-1827) It was discovered that the slapi-nis Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for information about a group with many members, or a request for a user that belongs to a large number of groups, would cause a Directory Server to enter an infinite loop and consume an excessive amount of CPU time. (CVE-2015-0283) These issues were discovered by Sumit Bose of Red Hat. This update fixes the following bugs : * Previously, users of IdM were not properly granted the default permission to read the
    last seen2020-06-01
    modified2020-06-02
    plugin id82291
    published2015-03-27
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82291
    titleRHEL 7 : ipa and slapi-nis (RHSA-2015:0728)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-4788.NASL
    descriptionCVE-2015-1827: It was discovered that the IPA extdom Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for a list of groups for a user that belongs to a large number of groups would cause a Directory Server to crash. CVE-2015-0283: It was discovered that the slapi-nis Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for information about a group with many members, or a request for a user that belongs to a large number of groups, would cause a Directory Server to enter an infinite loop and consume an excessive amount of CPU time. These issues were discovered by Sumit Bose of Red Hat. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-04-03
    plugin id82554
    published2015-04-03
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82554
    titleFedora 22 : freeipa-4.1.4-1.fc22 / slapi-nis-0.54.2-1.fc22 (2015-4788)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20150326_IPA_AND_SLAPI_NIS_ON_SL7_X.NASL
    descriptionThe ipa component provides centrally managed Identity, Policy, and Audit. The slapi-nis component provides NIS Server and Schema Compatibility plug- ins for Directory Server. It was discovered that the IPA extdom Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for a list of groups for a user that belongs to a large number of groups would cause a Directory Server to crash. (CVE-2015-1827) It was discovered that the slapi-nis Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for information about a group with many members, or a request for a user that belongs to a large number of groups, would cause a Directory Server to enter an infinite loop and consume an excessive amount of CPU time. (CVE-2015-0283) This update fixes the following bugs : - Previously, users of IdM were not properly granted the default permission to read the
    last seen2020-03-18
    modified2015-03-27
    plugin id82293
    published2015-03-27
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82293
    titleScientific Linux Security Update : ipa and slapi-nis on SL7.x x86_64 (20150326)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-0728.NASL
    descriptionUpdated ipa and slapi-nis packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. It integrates components of the Red Hat Directory Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides web browser and command-line interfaces. Its administration tools allow an administrator to quickly install, set up, and administer a group of domain controllers to meet the authentication and identity management requirements of large-scale Linux and UNIX deployments. The ipa component provides centrally managed Identity, Policy, and Audit. The slapi-nis component provides NIS Server and Schema Compatibility plug-ins for Directory Server. It was discovered that the IPA extdom Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for a list of groups for a user that belongs to a large number of groups would cause a Directory Server to crash. (CVE-2015-1827) It was discovered that the slapi-nis Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for information about a group with many members, or a request for a user that belongs to a large number of groups, would cause a Directory Server to enter an infinite loop and consume an excessive amount of CPU time. (CVE-2015-0283) These issues were discovered by Sumit Bose of Red Hat. This update fixes the following bugs : * Previously, users of IdM were not properly granted the default permission to read the
    last seen2020-06-01
    modified2020-06-02
    plugin id82475
    published2015-04-01
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82475
    titleCentOS 7 : ipa / slapi-nis (CESA-2015:0728)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-0728.NASL
    descriptionFrom Red Hat Security Advisory 2015:0728 : Updated ipa and slapi-nis packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat Identity Management is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments. It integrates components of the Red Hat Directory Server, MIT Kerberos, Red Hat Certificate System, NTP, and DNS. It provides web browser and command-line interfaces. Its administration tools allow an administrator to quickly install, set up, and administer a group of domain controllers to meet the authentication and identity management requirements of large-scale Linux and UNIX deployments. The ipa component provides centrally managed Identity, Policy, and Audit. The slapi-nis component provides NIS Server and Schema Compatibility plug-ins for Directory Server. It was discovered that the IPA extdom Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for a list of groups for a user that belongs to a large number of groups would cause a Directory Server to crash. (CVE-2015-1827) It was discovered that the slapi-nis Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for information about a group with many members, or a request for a user that belongs to a large number of groups, would cause a Directory Server to enter an infinite loop and consume an excessive amount of CPU time. (CVE-2015-0283) These issues were discovered by Sumit Bose of Red Hat. This update fixes the following bugs : * Previously, users of IdM were not properly granted the default permission to read the
    last seen2020-06-01
    modified2020-06-02
    plugin id82288
    published2015-03-27
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82288
    titleOracle Linux 7 : ipa / slapi-nis (ELSA-2015-0728)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-4747.NASL
    descriptionCVE-2015-1827: It was discovered that the IPA extdom Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for a list of groups for a user that belongs to a large number of groups would cause a Directory Server to crash. CVE-2015-0283: It was discovered that the slapi-nis Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for information about a group with many members, or a request for a user that belongs to a large number of groups, would cause a Directory Server to enter an infinite loop and consume an excessive amount of CPU time. These issues were discovered by Sumit Bose of Red Hat. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-04-07
    plugin id82612
    published2015-04-07
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82612
    titleFedora 21 : freeipa-4.1.4-1.fc21 / slapi-nis-0.54.2-1.fc21 (2015-4747)

Redhat

advisories
bugzilla
id1205200
titleCVE-2015-1827 ipa: memory corruption when using get_user_grouplist()
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentslapi-nis is earlier than 0:0.54-3.el7_1
          ovaloval:com.redhat.rhsa:tst:20150728001
        • commentslapi-nis is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20194268010
      • AND
        • commentipa-admintools is earlier than 0:4.1.0-18.el7_1.3
          ovaloval:com.redhat.rhsa:tst:20150728003
        • commentipa-admintools is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20111533010
      • AND
        • commentipa-server is earlier than 0:4.1.0-18.el7_1.3
          ovaloval:com.redhat.rhsa:tst:20150728005
        • commentipa-server is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20194268018
      • AND
        • commentipa-server-trust-ad is earlier than 0:4.1.0-18.el7_1.3
          ovaloval:com.redhat.rhsa:tst:20150728007
        • commentipa-server-trust-ad is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20194268016
      • AND
        • commentipa-client is earlier than 0:4.1.0-18.el7_1.3
          ovaloval:com.redhat.rhsa:tst:20150728009
        • commentipa-client is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20194268026
      • AND
        • commentipa-python is earlier than 0:4.1.0-18.el7_1.3
          ovaloval:com.redhat.rhsa:tst:20150728011
        • commentipa-python is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20111533004
rhsa
idRHSA-2015:0728
released2015-03-26
severityModerate
titleRHSA-2015:0728: ipa and slapi-nis security and bug fix update (Moderate)
rpms
  • ipa-admintools-0:4.1.0-18.ael7b_1.3
  • ipa-admintools-0:4.1.0-18.el7_1.3
  • ipa-client-0:4.1.0-18.ael7b_1.3
  • ipa-client-0:4.1.0-18.el7_1.3
  • ipa-debuginfo-0:4.1.0-18.ael7b_1.3
  • ipa-debuginfo-0:4.1.0-18.el7_1.3
  • ipa-python-0:4.1.0-18.ael7b_1.3
  • ipa-python-0:4.1.0-18.el7_1.3
  • ipa-server-0:4.1.0-18.el7_1.3
  • ipa-server-trust-ad-0:4.1.0-18.el7_1.3
  • slapi-nis-0:0.54-3.ael7b_1
  • slapi-nis-0:0.54-3.el7_1
  • slapi-nis-debuginfo-0:0.54-3.ael7b_1
  • slapi-nis-debuginfo-0:0.54-3.el7_1