Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20150329062423.4DEDC13A6DD@smtpvmsrv1.mitre.org>
Date: Sun, 29 Mar 2015 02:24:23 -0400 (EDT)
From: cve-assign@...re.org
To: corsac@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, team@...urity.debian.org
Subject: Re: CVE request (Debian specific): slapd: dangerous access rule in default config

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Debian bug #761406 was fixed in Debian sid some time ago, but no CVE was
> assigned. In order to raise some exposure, and make sure admins
> check/fix their config, we'll issue a DSA, so I'm requesting a CVE for
> this.
> 
> The problem is that by default LDAP users have write access to their own
> attributes. If LDAP is used to grant permissions, and those permissions
> are stored as user attributes (for example by using the ou), then an
> user can modify its own permissions, which is usually not wanted.
> 
> It's a Debian specific issue,

> [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761406

Use CVE-2014-9713 for this Debian specific issue.


> but the OpenLDAP documentation [2]
> actually recommends something like that.

> [2]: http://www.openldap.org/doc/admin24/guide.html#Basic%20ACLs

We think there might be a need for a second CVE related to this
upstream issue, because the recommendation is contained in a file
bundled with the upstream software distribution, i.e.,
doc/guide/admin/access-control.sdf in the
ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.40.tgz
file.

(Admittedly, CVEs for documentation are infrequent. CVE-2010-4179 is
one example.)

The essence of the issue is that it's easy for documentation readers
to infer that the Basic ACLs section, as well as essentially all of
the access-control.sdf file, is suggesting that "access to * by self
write" (with no earlier write restrictions) is a typically correct or
recommended design. It seems very unlikely that only Debian is facing
a related security impact.

On the other hand, if upstream believes that its existing
documentation is completely reasonable, then having a CVE for it could
be counterproductive.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVF5mJAAoJEKllVAevmvmsyjcH/RZ8v3D+WSZvt++b4PJTea5p
sRXkRRnJizcak2idk+nEunQdlxutnNtSmZW6CvC/JI2CWUkY0jKbzPi9vpOqrZKg
H6spjx9+WK3EixlUjm0CaOWeanjl0KAqItbkpYOPKAZofKSWUsCmDNjKHaI9/zJ2
WvPyhfxyEurPSUaf/u0tcZ3QNEo9Hmz4EVS2YmuFBFBFUgRHxzq1V1OhhT9+mFmP
ZNFBdF/HOCSLC/c2M0mvvDWo1scRl41vTsNp/JO8X1lmG/OAcaDjYoYgfQcg2GiU
GxGC5G95iOS77Mx/QBeZfGqBdeQpyiVU32s9shACr8fvLasvJ4I7/UGakyeq7qM=
=/YQE
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.