Vulnerabilities > CVE-2018-10871 - Cleartext Storage of Sensitive Information vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
HIGH Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Lifting Data Embedded in Client Distributions An attacker can resort to stealing data embedded in client distributions or client code in order to gain certain information. This information can reveal confidential contents, such as account numbers, or can be used as an intermediate step in a larger attack (such as by stealing keys/credentials).
Nessus
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2020-1334.NASL description 389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.(CVE-2018-10871) A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information.(CVE-2019-10224) A flaw was found in the last seen 2020-06-01 modified 2020-06-02 plugin id 133004 published 2020-01-17 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133004 title Amazon Linux AMI : 389-ds-base (ALAS-2020-1334) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2020-1334. # include("compat.inc"); if (description) { script_id(133004); script_version("1.2"); script_cvs_date("Date: 2020/01/21"); script_cve_id("CVE-2018-10871", "CVE-2019-10224", "CVE-2019-14824", "CVE-2019-3883"); script_xref(name:"ALAS", value:"2020-1334"); script_name(english:"Amazon Linux AMI : 389-ds-base (ALAS-2020-1334)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.(CVE-2018-10871) A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information.(CVE-2019-10224) A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes.(CVE-2019-14824) In 389-ds-base up to version 1.4.1.2, requests are handled by workers threads. Each sockets will be waited by the worker for at most 'ioblocktimeout' seconds. However this timeout applies only for un-encrypted requests. Connections using SSL/TLS are not taking this timeout into account during reads, and may hang longer.An unauthenticated attacker could repeatedly create hanging LDAP requests to hang all the workers, resulting in a Denial of Service.(CVE-2019-3883) It was found that encrypted connections did not honor the 'ioblocktimeout' parameter to end blocking requests. As a result, an unauthenticated attacker could repeatedly start a sufficient number of encrypted connections to block all workers, resulting in a denial of service.(CVE-2019-3883)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2020-1334.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update 389-ds-base' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-10871"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-snmp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/18"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"389-ds-base-1.3.9.1-12.65.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"389-ds-base-debuginfo-1.3.9.1-12.65.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"389-ds-base-devel-1.3.9.1-12.65.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"389-ds-base-libs-1.3.9.1-12.65.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"389-ds-base-snmp-1.3.9.1-12.65.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "389-ds-base / 389-ds-base-debuginfo / 389-ds-base-devel / etc"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2155-1.NASL description This update for 389-ds to version 1.4.0.26 fixes the following issues : Security issues fixed : CVE-2016-5416: Fixed an information disclosure where a anonymous user could read the default ACI (bsc#991201). CVE-2018-1054: Fixed a denial of service via search filters in SetUnicodeStringFromUTF_8() (bsc#1083689). CVE-2018-1089: Fixed a buffer overflow via large filter value (bsc#1092187). CVE-2018-10871: Fixed an information disclosure in certain plugins leading to the disclosure of plaintext password to an privileged attackers (bsc#1099465). CVE-2018-14638: Fixed a denial of service through a crash in delete_passwdPolicy () (bsc#1108674). CVE-2018-14648: Fixed a denial of service caused by malformed values in search queries (bsc#1109609). CVE-2018-10935: Fixed a denial of service related to ldapsearch with server side sort (bsc#1105606). CVE-2019-3883: Fixed a denial of service caused by hanging LDAP requests over TLS (bsc#1132385). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 128021 published 2019-08-20 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128021 title SUSE SLED15 / SLES15 Security Update : 389-ds (SUSE-SU-2019:2155-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2019:2155-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(128021); script_version("1.3"); script_cvs_date("Date: 2020/01/02"); script_cve_id("CVE-2016-5416", "CVE-2018-1054", "CVE-2018-10871", "CVE-2018-1089", "CVE-2018-10935", "CVE-2018-14638", "CVE-2018-14648", "CVE-2019-3883"); script_name(english:"SUSE SLED15 / SLES15 Security Update : 389-ds (SUSE-SU-2019:2155-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for 389-ds to version 1.4.0.26 fixes the following issues : Security issues fixed : CVE-2016-5416: Fixed an information disclosure where a anonymous user could read the default ACI (bsc#991201). CVE-2018-1054: Fixed a denial of service via search filters in SetUnicodeStringFromUTF_8() (bsc#1083689). CVE-2018-1089: Fixed a buffer overflow via large filter value (bsc#1092187). CVE-2018-10871: Fixed an information disclosure in certain plugins leading to the disclosure of plaintext password to an privileged attackers (bsc#1099465). CVE-2018-14638: Fixed a denial of service through a crash in delete_passwdPolicy () (bsc#1108674). CVE-2018-14648: Fixed a denial of service caused by malformed values in search queries (bsc#1109609). CVE-2018-10935: Fixed a denial of service related to ldapsearch with server side sort (bsc#1105606). CVE-2019-3883: Fixed a denial of service caused by hanging LDAP requests over TLS (bsc#1132385). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1083689" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1092187" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1099465" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1105606" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1108674" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1109609" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1120189" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1132385" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1144797" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=991201" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-5416/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1054/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-10871/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1089/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-10935/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-14638/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-14648/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-3883/" ); # https://www.suse.com/support/update/announcement/2019/suse-su-20192155-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b92e0f92" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Module for Server Applications 15-SP1:zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2019-2155=1 SUSE Linux Enterprise Module for Server Applications 15:zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2019-2155=1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1:zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2155=1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2155=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5416"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:389-ds"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:389-ds-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:389-ds-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:389-ds-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:389-ds-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:389-ds-snmp-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/08"); script_set_attribute(attribute:"patch_publication_date", value:"2019/08/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/20"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED15|SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED15 / SLES15", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES15" && (! preg(pattern:"^(0|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP0/1", os_ver + " SP" + sp); if (os_ver == "SLED15" && (! preg(pattern:"^(0|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLED15 SP0/1", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES15", sp:"1", reference:"389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"389-ds-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"389-ds-debugsource-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"389-ds-devel-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"389-ds-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"389-ds-debugsource-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"389-ds-snmp-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"389-ds-snmp-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"389-ds-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"389-ds-debugsource-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"389-ds-devel-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"389-ds-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"389-ds-debugsource-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"389-ds-snmp-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"389-ds-snmp-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"389-ds-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"389-ds-debugsource-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"389-ds-snmp-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"389-ds-snmp-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"389-ds-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"389-ds-debugsource-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"389-ds-snmp-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"389-ds-snmp-debuginfo-1.4.0.26~git0.8a2d3de6f-4.14.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "389-ds"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1483.NASL description CVE-2018-10871 By default nsslapd-unhashed-pw-switch was set to last seen 2020-06-01 modified 2020-06-02 plugin id 112195 published 2018-08-31 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112195 title Debian DLA-1483-1 : 389-ds-base security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1483-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(112195); script_version("1.2"); script_cvs_date("Date: 2018/09/18 11:59:19"); script_cve_id("CVE-2018-10871", "CVE-2018-10935"); script_name(english:"Debian DLA-1483-1 : 389-ds-base security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "CVE-2018-10871 By default nsslapd-unhashed-pw-switch was set to 'on'. So a copy of the unhashed password was kept in modifiers and was possibly logged in changelog and retroCL. Unless it is used by some plugin it does not require to keep unhashed passwords. The nsslapd-unhashed-pw-switch option is now 'off' by default. CVE-2018-10935 It was discovered that any authenticated user doing a search using ldapsearch with extended controls for server side sorting could bring down the LDAP server itself. The fix is to check if we are able to index the provided value. If we are not, then slapd_qsort returns an error (LDAP_OPERATION_ERROR) . For Debian 8 'Jessie', these problems have been fixed in version 1.3.3.5-4+deb8u2. We recommend that you upgrade your 389-ds-base packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2018/08/msg00032.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/389-ds-base" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:389-ds"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:389-ds-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:389-ds-base-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:389-ds-base-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:389-ds-base-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:389-ds-base-libs-dbg"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"patch_publication_date", value:"2018/08/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"389-ds", reference:"1.3.3.5-4+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"389-ds-base", reference:"1.3.3.5-4+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"389-ds-base-dbg", reference:"1.3.3.5-4+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"389-ds-base-dev", reference:"1.3.3.5-4+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"389-ds-base-libs", reference:"1.3.3.5-4+deb8u2")) flag++; if (deb_check(release:"8.0", prefix:"389-ds-base-libs-dbg", reference:"1.3.3.5-4+deb8u2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2127.NASL description According to the version of the 389-ds-base packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - 389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.(CVE-2018-10871) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-11-12 plugin id 130836 published 2019-11-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130836 title EulerOS 2.0 SP5 : 389-ds-base (EulerOS-SA-2019-2127) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(130836); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07"); script_cve_id( "CVE-2018-10871" ); script_name(english:"EulerOS 2.0 SP5 : 389-ds-base (EulerOS-SA-2019-2127)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the 389-ds-base packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - 389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.(CVE-2018-10871) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2127 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8b386db3"); script_set_attribute(attribute:"solution", value: "Update the affected 389-ds-base package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:389-ds-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:389-ds-base-libs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["389-ds-base-1.3.7.5-28.h3.eulerosv2r7", "389-ds-base-libs-1.3.7.5-28.h3.eulerosv2r7"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "389-ds-base"); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-3401.NASL description An update for the 389-ds:1.4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. The following packages have been upgraded to a later upstream version: 389-ds-base (1.4.1.3). (BZ#1712467) Security Fix(es) : * 389-ds-base: Read permission check bypass via the deref plugin (CVE-2019-14824) * 389-ds-base: replication and the Retro Changelog plugin store plaintext password by default (CVE-2018-10871) * 389-ds-base: DoS via hanging secured connections (CVE-2019-3883) * 389-ds-base: using dscreate in verbose mode results in information disclosure (CVE-2019-10224) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section. last seen 2020-05-23 modified 2019-11-06 plugin id 130535 published 2019-11-06 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130535 title RHEL 8 : 389-ds:1.4 (RHSA-2019:3401) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2554.NASL description According to the version of the 389-ds-base packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - 389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.(CVE-2018-10871) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-12-19 plugin id 132271 published 2019-12-19 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132271 title EulerOS 2.0 SP3 : 389-ds-base (EulerOS-SA-2019-2554)
Redhat
advisories |
| ||||
rpms |
|
References
- https://access.redhat.com/errata/RHSA-2019:3401
- https://access.redhat.com/errata/RHSA-2019:3401
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10871
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10871
- https://lists.debian.org/debian-lts-announce/2018/08/msg00032.html
- https://lists.debian.org/debian-lts-announce/2018/08/msg00032.html
- https://pagure.io/389-ds-base/issue/49789
- https://pagure.io/389-ds-base/issue/49789