Vulnerabilities > CVE-2018-1089 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
fedoraproject
redhat
debian
CWE-119
nessus

Summary

389-ds-base before versions 1.4.0.9, 1.3.8.1, 1.3.6.15 did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1380.NASL
    descriptionAn update for 389-ds-base is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. Security Fix(es) : * 389-ds-base: ns-slapd crash via large filter value in ldapsearch (CVE-2018-1089) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Greg Kubok for reporting this issue. Bug Fix(es) : * Indexing tasks in Directory Server contain the nsTaskStatus attribute to monitor whether the task is completed and the database is ready to receive updates. Before this update, the server set the value that indexing had completed before the database was ready to receive updates. Applications which monitor nsTaskStatus could start sending updates as soon as indexing completed, but before the database was ready. As a consequence, the server rejected updates with an UNWILLING_TO_PERFORM error. The problem has been fixed. As a result, the nsTaskStatus attribute now shows that indexing is completed after the database is ready to receive updates. (BZ#1553605) * Previously, Directory Server did not remember when the first operation, bind, or a connection was started. As a consequence, the server applied in certain situations anonymous resource limits to an authenticated client. With this update, Directory Server properly marks authenticated client connections. As a result, it applies the correct resource limits, and authenticated clients no longer get randomly restricted by anonymous resource limits. (BZ#1554720) * When debug replication logging is enabled, Directory Server incorrectly logged an error that updating the replica update vector (RUV) failed when in fact the update succeeded. The problem has been fixed, and the server no longer logs an error if updating the RUV succeeds. (BZ#1559464) * This update adds the -W option to the ds-replcheck utility. With this option, ds-replcheck asks for the password, similar to OpenLDAP utilities. As a result, the password is not stored in the shell
    last seen2020-06-01
    modified2020-06-02
    plugin id109832
    published2018-05-16
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109832
    titleRHEL 7 : 389-ds-base (RHSA-2018:1380)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:1380. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109832);
      script_version("1.9");
      script_cvs_date("Date: 2019/10/24 15:35:44");
    
      script_cve_id("CVE-2018-1089");
      script_xref(name:"RHSA", value:"2018:1380");
    
      script_name(english:"RHEL 7 : 389-ds-base (RHSA-2018:1380)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for 389-ds-base is now available for Red Hat Enterprise
    Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    389 Directory Server is an LDAP version 3 (LDAPv3) compliant server.
    The base packages include the Lightweight Directory Access Protocol
    (LDAP) server and command-line utilities for server administration.
    
    Security Fix(es) :
    
    * 389-ds-base: ns-slapd crash via large filter value in ldapsearch
    (CVE-2018-1089)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    Red Hat would like to thank Greg Kubok for reporting this issue.
    
    Bug Fix(es) :
    
    * Indexing tasks in Directory Server contain the nsTaskStatus
    attribute to monitor whether the task is completed and the database is
    ready to receive updates. Before this update, the server set the value
    that indexing had completed before the database was ready to receive
    updates. Applications which monitor nsTaskStatus could start sending
    updates as soon as indexing completed, but before the database was
    ready. As a consequence, the server rejected updates with an
    UNWILLING_TO_PERFORM error. The problem has been fixed. As a result,
    the nsTaskStatus attribute now shows that indexing is completed after
    the database is ready to receive updates. (BZ#1553605)
    
    * Previously, Directory Server did not remember when the first
    operation, bind, or a connection was started. As a consequence, the
    server applied in certain situations anonymous resource limits to an
    authenticated client. With this update, Directory Server properly
    marks authenticated client connections. As a result, it applies the
    correct resource limits, and authenticated clients no longer get
    randomly restricted by anonymous resource limits. (BZ#1554720)
    
    * When debug replication logging is enabled, Directory Server
    incorrectly logged an error that updating the replica update vector
    (RUV) failed when in fact the update succeeded. The problem has been
    fixed, and the server no longer logs an error if updating the RUV
    succeeds. (BZ#1559464)
    
    * This update adds the -W option to the ds-replcheck utility. With
    this option, ds-replcheck asks for the password, similar to OpenLDAP
    utilities. As a result, the password is not stored in the shell's
    history file when the -W option is used. (BZ#1559760)
    
    * If an administrator moves a group in Directory Server from one
    subtree to another, the memberOf plug-in deletes the memberOf
    attribute with the old value and adds a new memberOf attribute with
    the new group's distinguished name (DN) in affected user entries.
    Previously, if the old subtree was not within the scope of the
    memberOf plug-in, deleting the old memberOf attribute failed because
    the values did not exist. As a consequence, the plug-in did not add
    the new memberOf value, and the user entry contained an incorrect
    memberOf value. With this update, the plug-in now checks the return
    code when deleting the old value. If the return code is 'no such
    value', the plug-in only adds the new memberOf value. As a result, the
    memberOf attribute information is correct. (BZ#1559764)
    
    * In a Directory Server replication topology, updates are managed by
    using Change Sequence Numbers (CSN) based on time stamps. New CSNs
    must be higher than the highest CSN present in the relative update
    vector (RUV). In case the server generates a new CSN in the same
    second as the most recent CSN, the sequence number is increased to
    ensure that it is higher. However, if the most recent CSN and the new
    CSN were identical, the sequence number was not increased. In this
    situation, the new CSN was, except the replica ID, identical to the
    most recent one. As a consequence, a new update in the directory
    appeared in certain situations older than the most recent update. With
    this update, Directory Server increases the CSN if the sequence number
    is lower or equal to the most recent one. As a result, new updates are
    no longer considered older than the most recent data. (BZ#1563079)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2018:1380"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1089"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:389-ds-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:389-ds-base-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:389-ds-base-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:389-ds-base-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:389-ds-base-snmp");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2018:1380";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"389-ds-base-1.3.7.5-21.el7_5")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"389-ds-base-1.3.7.5-21.el7_5")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"389-ds-base-debuginfo-1.3.7.5-21.el7_5")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"389-ds-base-debuginfo-1.3.7.5-21.el7_5")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"389-ds-base-devel-1.3.7.5-21.el7_5")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"389-ds-base-devel-1.3.7.5-21.el7_5")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"389-ds-base-libs-1.3.7.5-21.el7_5")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"389-ds-base-libs-1.3.7.5-21.el7_5")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"389-ds-base-snmp-1.3.7.5-21.el7_5")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"389-ds-base-snmp-1.3.7.5-21.el7_5")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "389-ds-base / 389-ds-base-debuginfo / 389-ds-base-devel / etc");
      }
    }
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-1036.NASL
    descriptionIt was found that 389-ds-base did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service.(CVE-2018-1089)
    last seen2020-06-01
    modified2020-06-02
    plugin id110459
    published2018-06-12
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110459
    titleAmazon Linux AMI : 389-ds-base (ALAS-2018-1036)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2018-1036.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110459);
      script_version("1.3");
      script_cvs_date("Date: 2018/08/31 12:25:01");
    
      script_cve_id("CVE-2018-1089");
      script_xref(name:"ALAS", value:"2018-1036");
    
      script_name(english:"Amazon Linux AMI : 389-ds-base (ALAS-2018-1036)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was found that 389-ds-base did not properly handle long search
    filters with characters needing escapes, possibly leading to buffer
    overflows. A remote, unauthenticated attacker could potentially use
    this flaw to make ns-slapd crash via a specially crafted LDAP request,
    thus resulting in denial of service.(CVE-2018-1089)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2018-1036.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update 389-ds-base' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-snmp");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/12");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"389-ds-base-1.3.7.5-21.56.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"389-ds-base-debuginfo-1.3.7.5-21.56.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"389-ds-base-devel-1.3.7.5-21.56.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"389-ds-base-libs-1.3.7.5-21.56.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"389-ds-base-snmp-1.3.7.5-21.56.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "389-ds-base / 389-ds-base-debuginfo / 389-ds-base-devel / etc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-1364.NASL
    descriptionAn update for 389-ds-base is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. Security Fix(es) : * 389-ds-base: ns-slapd crash via large filter value in ldapsearch (CVE-2018-1089) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Greg Kubok for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id109669
    published2018-05-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109669
    titleRHEL 6 : 389-ds-base (RHSA-2018:1364)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:1364. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109669);
      script_version("1.7");
      script_cvs_date("Date: 2019/10/24 15:35:44");
    
      script_cve_id("CVE-2018-1089");
      script_xref(name:"RHSA", value:"2018:1364");
    
      script_name(english:"RHEL 6 : 389-ds-base (RHSA-2018:1364)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for 389-ds-base is now available for Red Hat Enterprise
    Linux 6.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    389 Directory Server is an LDAP version 3 (LDAPv3) compliant server.
    The base packages include the Lightweight Directory Access Protocol
    (LDAP) server and command-line utilities for server administration.
    
    Security Fix(es) :
    
    * 389-ds-base: ns-slapd crash via large filter value in ldapsearch
    (CVE-2018-1089)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    Red Hat would like to thank Greg Kubok for reporting this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2018:1364"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1089"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:389-ds-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:389-ds-base-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:389-ds-base-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:389-ds-base-libs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2018:1364";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"389-ds-base-1.2.11.15-95.el6_9")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"389-ds-base-1.2.11.15-95.el6_9")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"389-ds-base-debuginfo-1.2.11.15-95.el6_9")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"389-ds-base-debuginfo-1.2.11.15-95.el6_9")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"389-ds-base-devel-1.2.11.15-95.el6_9")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"389-ds-base-devel-1.2.11.15-95.el6_9")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"389-ds-base-libs-1.2.11.15-95.el6_9")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"389-ds-base-libs-1.2.11.15-95.el6_9")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "389-ds-base / 389-ds-base-debuginfo / 389-ds-base-devel / etc");
      }
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-1364.NASL
    descriptionAn update for 389-ds-base is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. Security Fix(es) : * 389-ds-base: ns-slapd crash via large filter value in ldapsearch (CVE-2018-1089) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Greg Kubok for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id109656
    published2018-05-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109656
    titleCentOS 6 : 389-ds-base (CESA-2018:1364)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:1364 and 
    # CentOS Errata and Security Advisory 2018:1364 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109656);
      script_version("1.6");
      script_cvs_date("Date: 2019/12/31");
    
      script_cve_id("CVE-2018-1089");
      script_xref(name:"RHSA", value:"2018:1364");
    
      script_name(english:"CentOS 6 : 389-ds-base (CESA-2018:1364)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for 389-ds-base is now available for Red Hat Enterprise
    Linux 6.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    389 Directory Server is an LDAP version 3 (LDAPv3) compliant server.
    The base packages include the Lightweight Directory Access Protocol
    (LDAP) server and command-line utilities for server administration.
    
    Security Fix(es) :
    
    * 389-ds-base: ns-slapd crash via large filter value in ldapsearch
    (CVE-2018-1089)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    Red Hat would like to thank Greg Kubok for reporting this issue."
      );
      # https://lists.centos.org/pipermail/centos-announce/2018-May/022822.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?f943d096"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected 389-ds-base packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1089");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:389-ds-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:389-ds-base-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:389-ds-base-libs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 6.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-6", reference:"389-ds-base-1.2.11.15-95.el6_9")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"389-ds-base-devel-1.2.11.15-95.el6_9")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"389-ds-base-libs-1.2.11.15-95.el6_9")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "389-ds-base / 389-ds-base-devel / 389-ds-base-libs");
    }
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2018-1036.NASL
    descriptionIt was found that 389-ds-base did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service.(CVE-2018-1089)
    last seen2020-06-01
    modified2020-06-02
    plugin id110453
    published2018-06-12
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110453
    titleAmazon Linux 2 : 389-ds-base (ALAS-2018-1036)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux 2 Security Advisory ALAS-2018-1036.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110453);
      script_version("1.3");
      script_cvs_date("Date: 2018/08/31 12:25:00");
    
      script_cve_id("CVE-2018-1089");
      script_xref(name:"ALAS", value:"2018-1036");
    
      script_name(english:"Amazon Linux 2 : 389-ds-base (ALAS-2018-1036)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux 2 host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was found that 389-ds-base did not properly handle long search
    filters with characters needing escapes, possibly leading to buffer
    overflows. A remote, unauthenticated attacker could potentially use
    this flaw to make ns-slapd crash via a specially crafted LDAP request,
    thus resulting in denial of service.(CVE-2018-1089)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/AL2/ALAS-2018-1036.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update 389-ds-base' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-snmp");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/12");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "2")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"389-ds-base-1.3.7.5-21.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"389-ds-base-debuginfo-1.3.7.5-21.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"389-ds-base-devel-1.3.7.5-21.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"389-ds-base-libs-1.3.7.5-21.amzn2.0.1")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"389-ds-base-snmp-1.3.7.5-21.amzn2.0.1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "389-ds-base / 389-ds-base-debuginfo / 389-ds-base-devel / etc");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-1380.NASL
    descriptionAn update for 389-ds-base is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. Security Fix(es) : * 389-ds-base: ns-slapd crash via large filter value in ldapsearch (CVE-2018-1089) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Greg Kubok for reporting this issue. Bug Fix(es) : * Indexing tasks in Directory Server contain the nsTaskStatus attribute to monitor whether the task is completed and the database is ready to receive updates. Before this update, the server set the value that indexing had completed before the database was ready to receive updates. Applications which monitor nsTaskStatus could start sending updates as soon as indexing completed, but before the database was ready. As a consequence, the server rejected updates with an UNWILLING_TO_PERFORM error. The problem has been fixed. As a result, the nsTaskStatus attribute now shows that indexing is completed after the database is ready to receive updates. (BZ#1553605) * Previously, Directory Server did not remember when the first operation, bind, or a connection was started. As a consequence, the server applied in certain situations anonymous resource limits to an authenticated client. With this update, Directory Server properly marks authenticated client connections. As a result, it applies the correct resource limits, and authenticated clients no longer get randomly restricted by anonymous resource limits. (BZ#1554720) * When debug replication logging is enabled, Directory Server incorrectly logged an error that updating the replica update vector (RUV) failed when in fact the update succeeded. The problem has been fixed, and the server no longer logs an error if updating the RUV succeeds. (BZ#1559464) * This update adds the -W option to the ds-replcheck utility. With this option, ds-replcheck asks for the password, similar to OpenLDAP utilities. As a result, the password is not stored in the shell
    last seen2020-06-01
    modified2020-06-02
    plugin id110246
    published2018-05-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110246
    titleCentOS 7 : 389-ds-base (CESA-2018:1380)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:1380 and 
    # CentOS Errata and Security Advisory 2018:1380 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110246);
      script_version("1.7");
      script_cvs_date("Date: 2019/12/31");
    
      script_cve_id("CVE-2018-1089");
      script_xref(name:"RHSA", value:"2018:1380");
    
      script_name(english:"CentOS 7 : 389-ds-base (CESA-2018:1380)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for 389-ds-base is now available for Red Hat Enterprise
    Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    389 Directory Server is an LDAP version 3 (LDAPv3) compliant server.
    The base packages include the Lightweight Directory Access Protocol
    (LDAP) server and command-line utilities for server administration.
    
    Security Fix(es) :
    
    * 389-ds-base: ns-slapd crash via large filter value in ldapsearch
    (CVE-2018-1089)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    Red Hat would like to thank Greg Kubok for reporting this issue.
    
    Bug Fix(es) :
    
    * Indexing tasks in Directory Server contain the nsTaskStatus
    attribute to monitor whether the task is completed and the database is
    ready to receive updates. Before this update, the server set the value
    that indexing had completed before the database was ready to receive
    updates. Applications which monitor nsTaskStatus could start sending
    updates as soon as indexing completed, but before the database was
    ready. As a consequence, the server rejected updates with an
    UNWILLING_TO_PERFORM error. The problem has been fixed. As a result,
    the nsTaskStatus attribute now shows that indexing is completed after
    the database is ready to receive updates. (BZ#1553605)
    
    * Previously, Directory Server did not remember when the first
    operation, bind, or a connection was started. As a consequence, the
    server applied in certain situations anonymous resource limits to an
    authenticated client. With this update, Directory Server properly
    marks authenticated client connections. As a result, it applies the
    correct resource limits, and authenticated clients no longer get
    randomly restricted by anonymous resource limits. (BZ#1554720)
    
    * When debug replication logging is enabled, Directory Server
    incorrectly logged an error that updating the replica update vector
    (RUV) failed when in fact the update succeeded. The problem has been
    fixed, and the server no longer logs an error if updating the RUV
    succeeds. (BZ#1559464)
    
    * This update adds the -W option to the ds-replcheck utility. With
    this option, ds-replcheck asks for the password, similar to OpenLDAP
    utilities. As a result, the password is not stored in the shell's
    history file when the -W option is used. (BZ#1559760)
    
    * If an administrator moves a group in Directory Server from one
    subtree to another, the memberOf plug-in deletes the memberOf
    attribute with the old value and adds a new memberOf attribute with
    the new group's distinguished name (DN) in affected user entries.
    Previously, if the old subtree was not within the scope of the
    memberOf plug-in, deleting the old memberOf attribute failed because
    the values did not exist. As a consequence, the plug-in did not add
    the new memberOf value, and the user entry contained an incorrect
    memberOf value. With this update, the plug-in now checks the return
    code when deleting the old value. If the return code is 'no such
    value', the plug-in only adds the new memberOf value. As a result, the
    memberOf attribute information is correct. (BZ#1559764)
    
    * In a Directory Server replication topology, updates are managed by
    using Change Sequence Numbers (CSN) based on time stamps. New CSNs
    must be higher than the highest CSN present in the relative update
    vector (RUV). In case the server generates a new CSN in the same
    second as the most recent CSN, the sequence number is increased to
    ensure that it is higher. However, if the most recent CSN and the new
    CSN were identical, the sequence number was not increased. In this
    situation, the new CSN was, except the replica ID, identical to the
    most recent one. As a consequence, a new update in the directory
    appeared in certain situations older than the most recent update. With
    this update, Directory Server increases the CSN if the sequence number
    is lower or equal to the most recent one. As a result, new updates are
    no longer considered older than the most recent data. (BZ#1563079)"
      );
      # https://lists.centos.org/pipermail/centos-announce/2018-May/022850.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6142158f"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected 389-ds-base packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1089");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:389-ds-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:389-ds-base-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:389-ds-base-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:389-ds-base-snmp");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"389-ds-base-1.3.7.5-21.el7_5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"389-ds-base-devel-1.3.7.5-21.el7_5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"389-ds-base-libs-1.3.7.5-21.el7_5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"389-ds-base-snmp-1.3.7.5-21.el7_5")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "389-ds-base / 389-ds-base-devel / 389-ds-base-libs / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1428.NASL
    descriptionCVE-2015-1854 A flaw was found while doing authorization of modrdn operations. An unauthenticated attacker able to issue an ldapmodrdn call to the directory server could perform unauthorized modifications of entries in the directory server. CVE-2017-15134 Improper handling of a search filter in slapi_filter_sprintf() in slapd/util.c can lead to remote server crash and denial of service. CVE-2018-1054 When read access on <attribute_name> is enabled, a flaw in SetUnicodeStringFromUTF_8 function in collate.c, can lead to out-of-bounds memory operations. This might result in a server crash, caused by unauthorized users. CVE-2018-1089 Any user (anonymous or authenticated) can crash ns-slapd with a crafted ldapsearch query with very long filter value. CVE-2018-10850 Due to a race condition the server could crash in turbo mode (because of high traffic) or when a worker reads several requests in the read buffer (more_data). Thus an anonymous attacker could trigger a denial of service. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id111086
    published2018-07-16
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111086
    titleDebian DLA-1428-1 : 389-ds-base security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2155-1.NASL
    descriptionThis update for 389-ds to version 1.4.0.26 fixes the following issues : Security issues fixed : CVE-2016-5416: Fixed an information disclosure where a anonymous user could read the default ACI (bsc#991201). CVE-2018-1054: Fixed a denial of service via search filters in SetUnicodeStringFromUTF_8() (bsc#1083689). CVE-2018-1089: Fixed a buffer overflow via large filter value (bsc#1092187). CVE-2018-10871: Fixed an information disclosure in certain plugins leading to the disclosure of plaintext password to an privileged attackers (bsc#1099465). CVE-2018-14638: Fixed a denial of service through a crash in delete_passwdPolicy () (bsc#1108674). CVE-2018-14648: Fixed a denial of service caused by malformed values in search queries (bsc#1109609). CVE-2018-10935: Fixed a denial of service related to ldapsearch with server side sort (bsc#1105606). CVE-2019-3883: Fixed a denial of service caused by hanging LDAP requests over TLS (bsc#1132385). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128021
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128021
    titleSUSE SLED15 / SLES15 Security Update : 389-ds (SUSE-SU-2019:2155-1)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0140_389-DS-BASE.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has 389-ds-base packages installed that are affected by a vulnerability: - It was found that 389-ds-base did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service. (CVE-2018-1089) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127402
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127402
    titleNewStart CGSL MAIN 4.05 : 389-ds-base Vulnerability (NS-SA-2019-0140)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180509_389_DS_BASE_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - 389-ds-base: ns-slapd crash via large filter value in ldapsearch (CVE-2018-1089)
    last seen2020-03-18
    modified2018-05-10
    plugin id109671
    published2018-05-10
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109671
    titleScientific Linux Security Update : 389-ds-base on SL6.x i386/x86_64 (20180509)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180515_389_DS_BASE_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - 389-ds-base: ns-slapd crash via large filter value in ldapsearch (CVE-2018-1089) Bug Fix(es) : - Indexing tasks in Directory Server contain the nsTaskStatus attribute to monitor whether the task is completed and the database is ready to receive updates. Before this update, the server set the value that indexing had completed before the database was ready to receive updates. Applications which monitor nsTaskStatus could start sending updates as soon as indexing completed, but before the database was ready. As a consequence, the server rejected updates with an UNWILLING_TO_PERFORM error. The problem has been fixed. As a result, the nsTaskStatus attribute now shows that indexing is completed after the database is ready to receive updates. - Previously, Directory Server did not remember when the first operation, bind, or a connection was started. As a consequence, the server applied in certain situations anonymous resource limits to an authenticated client. With this update, Directory Server properly marks authenticated client connections. As a result, it applies the correct resource limits, and authenticated clients no longer get randomly restricted by anonymous resource limits. - When debug replication logging is enabled, Directory Server incorrectly logged an error that updating the replica update vector (RUV) failed when in fact the update succeeded. The problem has been fixed, and the server no longer logs an error if updating the RUV succeeds. - This update adds the -W option to the ds-replcheck utility. With this option, ds-replcheck asks for the password, similar to OpenLDAP utilities. As a result, the password is not stored in the shell
    last seen2020-03-18
    modified2018-05-16
    plugin id109848
    published2018-05-16
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109848
    titleScientific Linux Security Update : 389-ds-base on SL7.x x86_64 (20180515)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0038_389-DS-BASE.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has 389-ds-base packages installed that are affected by multiple vulnerabilities: - A race condition was found in the way 389-ds-base handles persistent search, resulting in a crash if the server is under load. An anonymous attacker could use this flaw to trigger a denial of service. (CVE-2018-10850) - It was found that 389-ds-base did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service. (CVE-2018-1089) - A vulnerability was discovered in 389-ds-base. The lock controlling the error log was not correctly used when re-opening the log file in log__error_emergency(). An attacker could send a flood of modifications to a very large DN, which would cause slapd to crash. (CVE-2018-14624) - A double-free of a password policy structure was found in the way slapd was handling certain errors during persistent search. A unauthenticated attacker could use this flaw to crash Directory Server. (CVE-2018-14638) - A flaw was found in the 389 Directory Server that allows users to cause a crash in the LDAP server using ldapsearch with server side sort. (CVE-2018-10935) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127210
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127210
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : 389-ds-base Multiple Vulnerabilities (NS-SA-2019-0038)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-1364.NASL
    descriptionFrom Red Hat Security Advisory 2018:1364 : An update for 389-ds-base is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. Security Fix(es) : * 389-ds-base: ns-slapd crash via large filter value in ldapsearch (CVE-2018-1089) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Greg Kubok for reporting this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id109666
    published2018-05-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109666
    titleOracle Linux 6 : 389-ds-base (ELSA-2018-1364)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1191.NASL
    descriptionAccording to the version of the 389-ds-base packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was found that 389-ds-base did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service.(CVE-2018-1089) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-07-03
    plugin id110855
    published2018-07-03
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110855
    titleEulerOS 2.0 SP3 : 389-ds-base (EulerOS-SA-2018-1191)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1190.NASL
    descriptionAccording to the versions of the 389-ds-base packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that 389-ds-base did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service.(CVE-2018-1089) - It was found that the uniqueness_entry_to_config() function, used by the
    last seen2020-05-06
    modified2018-07-03
    plugin id110854
    published2018-07-03
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110854
    titleEulerOS 2.0 SP2 : 389-ds-base (EulerOS-SA-2018-1190)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-1380.NASL
    descriptionFrom Red Hat Security Advisory 2018:1380 : An update for 389-ds-base is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. Security Fix(es) : * 389-ds-base: ns-slapd crash via large filter value in ldapsearch (CVE-2018-1089) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Greg Kubok for reporting this issue. Bug Fix(es) : * Indexing tasks in Directory Server contain the nsTaskStatus attribute to monitor whether the task is completed and the database is ready to receive updates. Before this update, the server set the value that indexing had completed before the database was ready to receive updates. Applications which monitor nsTaskStatus could start sending updates as soon as indexing completed, but before the database was ready. As a consequence, the server rejected updates with an UNWILLING_TO_PERFORM error. The problem has been fixed. As a result, the nsTaskStatus attribute now shows that indexing is completed after the database is ready to receive updates. (BZ#1553605) * Previously, Directory Server did not remember when the first operation, bind, or a connection was started. As a consequence, the server applied in certain situations anonymous resource limits to an authenticated client. With this update, Directory Server properly marks authenticated client connections. As a result, it applies the correct resource limits, and authenticated clients no longer get randomly restricted by anonymous resource limits. (BZ#1554720) * When debug replication logging is enabled, Directory Server incorrectly logged an error that updating the replica update vector (RUV) failed when in fact the update succeeded. The problem has been fixed, and the server no longer logs an error if updating the RUV succeeds. (BZ#1559464) * This update adds the -W option to the ds-replcheck utility. With this option, ds-replcheck asks for the password, similar to OpenLDAP utilities. As a result, the password is not stored in the shell
    last seen2020-06-01
    modified2020-06-02
    plugin id109807
    published2018-05-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109807
    titleOracle Linux 7 : 389-ds-base (ELSA-2018-1380)

Redhat

advisories
  • bugzilla
    id1559802
    titleCVE-2018-1089 389-ds-base: ns-slapd crash via large filter value in ldapsearch
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • comment389-ds-base-devel is earlier than 0:1.2.11.15-95.el6_9
            ovaloval:com.redhat.rhsa:tst:20181364001
          • comment389-ds-base-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20151554002
        • AND
          • comment389-ds-base-libs is earlier than 0:1.2.11.15-95.el6_9
            ovaloval:com.redhat.rhsa:tst:20181364003
          • comment389-ds-base-libs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20151554004
        • AND
          • comment389-ds-base is earlier than 0:1.2.11.15-95.el6_9
            ovaloval:com.redhat.rhsa:tst:20181364005
          • comment389-ds-base is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20151554006
    rhsa
    idRHSA-2018:1364
    released2018-05-09
    severityImportant
    titleRHSA-2018:1364: 389-ds-base security update (Important)
  • bugzilla
    id1563079
    titleadjustment of csn_generator can fail so next generated csn can be equal to the most recent one received [rhel-7.5.z]
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • comment389-ds-base is earlier than 0:1.3.7.5-21.el7_5
            ovaloval:com.redhat.rhsa:tst:20181380001
          • comment389-ds-base is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20151554006
        • AND
          • comment389-ds-base-snmp is earlier than 0:1.3.7.5-21.el7_5
            ovaloval:com.redhat.rhsa:tst:20181380003
          • comment389-ds-base-snmp is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20162594008
        • AND
          • comment389-ds-base-devel is earlier than 0:1.3.7.5-21.el7_5
            ovaloval:com.redhat.rhsa:tst:20181380005
          • comment389-ds-base-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20151554002
        • AND
          • comment389-ds-base-libs is earlier than 0:1.3.7.5-21.el7_5
            ovaloval:com.redhat.rhsa:tst:20181380007
          • comment389-ds-base-libs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20151554004
    rhsa
    idRHSA-2018:1380
    released2018-05-14
    severityImportant
    titleRHSA-2018:1380: 389-ds-base security and bug fix update (Important)
rpms
  • 389-ds-base-0:1.2.11.15-95.el6_9
  • 389-ds-base-debuginfo-0:1.2.11.15-95.el6_9
  • 389-ds-base-devel-0:1.2.11.15-95.el6_9
  • 389-ds-base-libs-0:1.2.11.15-95.el6_9
  • 389-ds-base-0:1.3.7.5-21.el7_5
  • 389-ds-base-debuginfo-0:1.3.7.5-21.el7_5
  • 389-ds-base-devel-0:1.3.7.5-21.el7_5
  • 389-ds-base-libs-0:1.3.7.5-21.el7_5
  • 389-ds-base-snmp-0:1.3.7.5-21.el7_5