Vulnerabilities > CVE-2018-10871 - Cleartext Storage of Sensitive Information vulnerability in multiple products

047910
CVSS 7.2 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
HIGH
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
fedoraproject
debian
CWE-312
nessus

Summary

389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.

Vulnerable Configurations

Part Description Count
Application
Fedoraproject
179
OS
Debian
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Lifting Data Embedded in Client Distributions
    An attacker can resort to stealing data embedded in client distributions or client code in order to gain certain information. This information can reveal confidential contents, such as account numbers, or can be used as an intermediate step in a larger attack (such as by stealing keys/credentials).

Nessus

  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2020-1334.NASL
    description389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.(CVE-2018-10871) A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information.(CVE-2019-10224) A flaw was found in the
    last seen2020-06-01
    modified2020-06-02
    plugin id133004
    published2020-01-17
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133004
    titleAmazon Linux AMI : 389-ds-base (ALAS-2020-1334)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2020-1334.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133004);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/21");
    
      script_cve_id("CVE-2018-10871", "CVE-2019-10224", "CVE-2019-14824", "CVE-2019-3883");
      script_xref(name:"ALAS", value:"2020-1334");
    
      script_name(english:"Amazon Linux AMI : 389-ds-base (ALAS-2020-1334)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a
    Cleartext Storage of Sensitive Information. By default, when the
    Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores
    passwords in plaintext format in their respective changelog files. An
    attacker with sufficiently high privileges, such as root or Directory
    Manager, can query these files in order to retrieve plaintext
    passwords.(CVE-2018-10871)
    
    A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3.
    When executed in verbose mode, the dscreate and dsconf commands may
    display sensitive information, such as the Directory Manager password.
    An attacker, able to see the screen or record the terminal standard
    error output, could use this flaw to gain sensitive
    information.(CVE-2019-10224)
    
    A flaw was found in the 'deref' plugin of 389-ds-base where it could
    use the 'search' permission to display attribute values. In some
    configurations, this could allow an authenticated attacker to view
    private attributes, such as password hashes.(CVE-2019-14824)
    
    In 389-ds-base up to version 1.4.1.2, requests are handled by workers
    threads. Each sockets will be waited by the worker for at most
    'ioblocktimeout' seconds. However this timeout applies only for
    un-encrypted requests. Connections using SSL/TLS are not taking this
    timeout into account during reads, and may hang longer.An
    unauthenticated attacker could repeatedly create hanging LDAP requests
    to hang all the workers, resulting in a Denial of
    Service.(CVE-2019-3883)
    
    It was found that encrypted connections did not honor the
    'ioblocktimeout' parameter to end blocking requests. As a result, an
    unauthenticated attacker could repeatedly start a sufficient number of
    encrypted connections to block all workers, resulting in a denial of
    service.(CVE-2019-3883)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2020-1334.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update 389-ds-base' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-10871");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-snmp");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/17");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"389-ds-base-1.3.9.1-12.65.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"389-ds-base-debuginfo-1.3.9.1-12.65.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"389-ds-base-devel-1.3.9.1-12.65.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"389-ds-base-libs-1.3.9.1-12.65.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"389-ds-base-snmp-1.3.9.1-12.65.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "389-ds-base / 389-ds-base-debuginfo / 389-ds-base-devel / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2155-1.NASL
    descriptionThis update for 389-ds to version 1.4.0.26 fixes the following issues : Security issues fixed : CVE-2016-5416: Fixed an information disclosure where a anonymous user could read the default ACI (bsc#991201). CVE-2018-1054: Fixed a denial of service via search filters in SetUnicodeStringFromUTF_8() (bsc#1083689). CVE-2018-1089: Fixed a buffer overflow via large filter value (bsc#1092187). CVE-2018-10871: Fixed an information disclosure in certain plugins leading to the disclosure of plaintext password to an privileged attackers (bsc#1099465). CVE-2018-14638: Fixed a denial of service through a crash in delete_passwdPolicy () (bsc#1108674). CVE-2018-14648: Fixed a denial of service caused by malformed values in search queries (bsc#1109609). CVE-2018-10935: Fixed a denial of service related to ldapsearch with server side sort (bsc#1105606). CVE-2019-3883: Fixed a denial of service caused by hanging LDAP requests over TLS (bsc#1132385). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128021
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128021
    titleSUSE SLED15 / SLES15 Security Update : 389-ds (SUSE-SU-2019:2155-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2019:2155-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128021);
      script_version("1.3");
      script_cvs_date("Date: 2020/01/02");
    
      script_cve_id("CVE-2016-5416", "CVE-2018-1054", "CVE-2018-10871", "CVE-2018-1089", "CVE-2018-10935", "CVE-2018-14638", "CVE-2018-14648", "CVE-2019-3883");
    
      script_name(english:"SUSE SLED15 / SLES15 Security Update : 389-ds (SUSE-SU-2019:2155-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for 389-ds to version 1.4.0.26 fixes the following 
    issues :
    
    Security issues fixed :
    
    CVE-2016-5416: Fixed an information disclosure where a anonymous user
    could read the default ACI (bsc#991201).
    
    CVE-2018-1054: Fixed a denial of service via search filters in
    SetUnicodeStringFromUTF_8() (bsc#1083689).
    
    CVE-2018-1089: Fixed a buffer overflow via large filter value
    (bsc#1092187).
    
    CVE-2018-10871: Fixed an information disclosure in certain plugins
    leading to the disclosure of plaintext password to an privileged
    attackers (bsc#1099465).
    
    CVE-2018-14638: Fixed a denial of service through a crash in
    delete_passwdPolicy () (bsc#1108674).
    
    CVE-2018-14648: Fixed a denial of service caused by malformed values
    in search queries (bsc#1109609).
    
    CVE-2018-10935: Fixed a denial of service related to ldapsearch with
    server side sort (bsc#1105606).
    
    CVE-2019-3883: Fixed a denial of service caused by hanging LDAP
    requests over TLS (bsc#1132385).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083689"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1092187"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1099465"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1105606"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1108674"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1109609"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1120189"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1132385"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1144797"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=991201"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-5416/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1054/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-10871/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1089/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-10935/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-14638/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-14648/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-3883/"
      );
      # https://www.suse.com/support/update/announcement/2019/suse-su-20192155-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b92e0f92"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Module for Server Applications 15-SP1:zypper in
    -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2019-2155=1
    
    SUSE Linux Enterprise Module for Server Applications 15:zypper in -t
    patch SUSE-SLE-Module-Server-Applications-15-2019-2155=1
    
    SUSE Linux Enterprise Module for Open Buildservice Development Tools
    15-SP1:zypper in -t patch
    SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2155=1
    
    SUSE Linux Enterprise Module for Open Buildservice Development Tools
    15:zypper in -t patch
    SUSE-SLE-Module-Development-Tools-OBS-15-2019-2155=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5416");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:389-ds");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:389-ds-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:389-ds-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:389-ds-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:389-ds-snmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:389-ds-snmp-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/08/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/20");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED15|SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED15 / SLES15", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES15" && (! preg(pattern:"^(0|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP0/1", os_ver + " SP" + sp);
    if (os_ver == "SLED15" && (! preg(pattern:"^(0|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLED15 SP0/1", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES15", sp:"1", reference:"389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"389-ds-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"389-ds-debugsource-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"389-ds-devel-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"389-ds-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"389-ds-debugsource-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"389-ds-snmp-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"389-ds-snmp-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"389-ds-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"389-ds-debugsource-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"389-ds-devel-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"389-ds-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"389-ds-debugsource-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"389-ds-snmp-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"0", reference:"389-ds-snmp-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"389-ds-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"389-ds-debugsource-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"389-ds-snmp-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"1", reference:"389-ds-snmp-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"389-ds-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"389-ds-debugsource-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"389-ds-snmp-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    if (rpm_check(release:"SLED15", sp:"0", reference:"389-ds-snmp-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "389-ds");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1483.NASL
    descriptionCVE-2018-10871 By default nsslapd-unhashed-pw-switch was set to
    last seen2020-06-01
    modified2020-06-02
    plugin id112195
    published2018-08-31
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112195
    titleDebian DLA-1483-1 : 389-ds-base security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1483-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(112195);
      script_version("1.2");
      script_cvs_date("Date: 2018/09/18 11:59:19");
    
      script_cve_id("CVE-2018-10871", "CVE-2018-10935");
    
      script_name(english:"Debian DLA-1483-1 : 389-ds-base security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "CVE-2018-10871
    
    By default nsslapd-unhashed-pw-switch was set to 'on'. So a copy of
    the unhashed password was kept in modifiers and was possibly logged in
    changelog and retroCL.
    
    Unless it is used by some plugin it does not require to keep
    unhashed passwords. The nsslapd-unhashed-pw-switch option is
    now 'off' by default.
    
    CVE-2018-10935
    
    It was discovered that any authenticated user doing a search using
    ldapsearch with extended controls for server side sorting could bring
    down the LDAP server itself.
    
    The fix is to check if we are able to index the provided
    value. If we are not, then slapd_qsort returns an error
    (LDAP_OPERATION_ERROR) .
    
    For Debian 8 'Jessie', these problems have been fixed in version
    1.3.3.5-4+deb8u2.
    
    We recommend that you upgrade your 389-ds-base packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2018/08/msg00032.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/389-ds-base"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:389-ds");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:389-ds-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:389-ds-base-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:389-ds-base-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:389-ds-base-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:389-ds-base-libs-dbg");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/08/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"389-ds", reference:"1.3.3.5-4+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"389-ds-base", reference:"1.3.3.5-4+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"389-ds-base-dbg", reference:"1.3.3.5-4+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"389-ds-base-dev", reference:"1.3.3.5-4+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"389-ds-base-libs", reference:"1.3.3.5-4+deb8u2")) flag++;
    if (deb_check(release:"8.0", prefix:"389-ds-base-libs-dbg", reference:"1.3.3.5-4+deb8u2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2127.NASL
    descriptionAccording to the version of the 389-ds-base packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - 389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.(CVE-2018-10871) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-11-12
    plugin id130836
    published2019-11-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130836
    titleEulerOS 2.0 SP5 : 389-ds-base (EulerOS-SA-2019-2127)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130836);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2018-10871"
      );
    
      script_name(english:"EulerOS 2.0 SP5 : 389-ds-base (EulerOS-SA-2019-2127)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to the version of the 389-ds-base packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerability :
    
      - 389-ds-base before versions 1.3.8.5, 1.4.0.12 is
        vulnerable to a Cleartext Storage of Sensitive
        Information. By default, when the Replica and/or
        retroChangeLog plugins are enabled, 389-ds-base stores
        passwords in plaintext format in their respective
        changelog files. An attacker with sufficiently high
        privileges, such as root or Directory Manager, can
        query these files in order to retrieve plaintext
        passwords.(CVE-2018-10871)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2127
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8b386db3");
      script_set_attribute(attribute:"solution", value:
    "Update the affected 389-ds-base package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:389-ds-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:389-ds-base-libs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["389-ds-base-1.3.7.5-28.h3.eulerosv2r7",
            "389-ds-base-libs-1.3.7.5-28.h3.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "389-ds-base");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-3401.NASL
    descriptionAn update for the 389-ds:1.4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. The following packages have been upgraded to a later upstream version: 389-ds-base (1.4.1.3). (BZ#1712467) Security Fix(es) : * 389-ds-base: Read permission check bypass via the deref plugin (CVE-2019-14824) * 389-ds-base: replication and the Retro Changelog plugin store plaintext password by default (CVE-2018-10871) * 389-ds-base: DoS via hanging secured connections (CVE-2019-3883) * 389-ds-base: using dscreate in verbose mode results in information disclosure (CVE-2019-10224) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.
    last seen2020-05-23
    modified2019-11-06
    plugin id130535
    published2019-11-06
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130535
    titleRHEL 8 : 389-ds:1.4 (RHSA-2019:3401)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2554.NASL
    descriptionAccording to the version of the 389-ds-base packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - 389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.(CVE-2018-10871) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-12-19
    plugin id132271
    published2019-12-19
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132271
    titleEulerOS 2.0 SP3 : 389-ds-base (EulerOS-SA-2019-2554)

Redhat

advisories
rhsa
idRHSA-2019:3401
rpms
  • 389-ds-base-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-debuginfo-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-debugsource-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-devel-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-legacy-tools-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-legacy-tools-debuginfo-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-libs-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-libs-debuginfo-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-snmp-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-snmp-debuginfo-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • python3-lib389-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f