Vulnerabilities > CVE-2019-10224 - Information Exposure vulnerability in Fedoraproject 389 Directory Server

047910
CVSS 4.6 - MEDIUM
Attack vector
PHYSICAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
low complexity
fedoraproject
CWE-200
nessus
NVD
Published: 2019-11-25
Updated: 2023-04-24

Summary

A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information.

Vulnerable Configurations

Part Description Count
Application
Fedoraproject
26

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2020-1334.NASL
    description389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.(CVE-2018-10871) A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information.(CVE-2019-10224) A flaw was found in the
    last seen2020-06-01
    modified2020-06-02
    plugin id133004
    published2020-01-17
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133004
    titleAmazon Linux AMI : 389-ds-base (ALAS-2020-1334)
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux AMI Security Advisory ALAS-2020-1334.
#

include("compat.inc");

if (description)
{
  script_id(133004);
  script_version("1.2");
  script_cvs_date("Date: 2020/01/21");

  script_cve_id("CVE-2018-10871", "CVE-2019-10224", "CVE-2019-14824", "CVE-2019-3883");
  script_xref(name:"ALAS", value:"2020-1334");

  script_name(english:"Amazon Linux AMI : 389-ds-base (ALAS-2020-1334)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Amazon Linux AMI host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a
Cleartext Storage of Sensitive Information. By default, when the
Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores
passwords in plaintext format in their respective changelog files. An
attacker with sufficiently high privileges, such as root or Directory
Manager, can query these files in order to retrieve plaintext
passwords.(CVE-2018-10871)

A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3.
When executed in verbose mode, the dscreate and dsconf commands may
display sensitive information, such as the Directory Manager password.
An attacker, able to see the screen or record the terminal standard
error output, could use this flaw to gain sensitive
information.(CVE-2019-10224)

A flaw was found in the 'deref' plugin of 389-ds-base where it could
use the 'search' permission to display attribute values. In some
configurations, this could allow an authenticated attacker to view
private attributes, such as password hashes.(CVE-2019-14824)

In 389-ds-base up to version 1.4.1.2, requests are handled by workers
threads. Each sockets will be waited by the worker for at most
'ioblocktimeout' seconds. However this timeout applies only for
un-encrypted requests. Connections using SSL/TLS are not taking this
timeout into account during reads, and may hang longer.An
unauthenticated attacker could repeatedly create hanging LDAP requests
to hang all the workers, resulting in a Denial of
Service.(CVE-2019-3883)

It was found that encrypted connections did not honor the
'ioblocktimeout' parameter to end blocking requests. As a result, an
unauthenticated attacker could repeatedly start a sufficient number of
encrypted connections to block all workers, resulting in a denial of
service.(CVE-2019-3883)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://alas.aws.amazon.com/ALAS-2020-1334.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Run 'yum update 389-ds-base' to update your system."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-10871");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:389-ds-base-snmp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/17");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Amazon Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "A")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (rpm_check(release:"ALA", reference:"389-ds-base-1.3.9.1-12.65.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"389-ds-base-debuginfo-1.3.9.1-12.65.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"389-ds-base-devel-1.3.9.1-12.65.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"389-ds-base-libs-1.3.9.1-12.65.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"389-ds-base-snmp-1.3.9.1-12.65.amzn1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "389-ds-base / 389-ds-base-debuginfo / 389-ds-base-devel / etc");
}
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-3401.NASL
    descriptionAn update for the 389-ds:1.4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. The following packages have been upgraded to a later upstream version: 389-ds-base (1.4.1.3). (BZ#1712467) Security Fix(es) : * 389-ds-base: Read permission check bypass via the deref plugin (CVE-2019-14824) * 389-ds-base: replication and the Retro Changelog plugin store plaintext password by default (CVE-2018-10871) * 389-ds-base: DoS via hanging secured connections (CVE-2019-3883) * 389-ds-base: using dscreate in verbose mode results in information disclosure (CVE-2019-10224) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.
    last seen2020-05-23
    modified2019-11-06
    plugin id130535
    published2019-11-06
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130535
    titleRHEL 8 : 389-ds:1.4 (RHSA-2019:3401)

Redhat

rpms
  • 389-ds-base-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-debuginfo-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-debugsource-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-devel-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-legacy-tools-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-legacy-tools-debuginfo-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-libs-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-libs-debuginfo-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-snmp-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • 389-ds-base-snmp-debuginfo-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f
  • python3-lib389-0:1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f

References