Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 29 Mar 2015 02:24:23 -0400 (EDT)
From: cve-assign@...re.org
To: corsac@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, team@...urity.debian.org
Subject: Re: CVE request (Debian specific): slapd: dangerous access rule in default config

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Debian bug #761406 was fixed in Debian sid some time ago, but no CVE was
> assigned. In order to raise some exposure, and make sure admins
> check/fix their config, we'll issue a DSA, so I'm requesting a CVE for
> this.
> 
> The problem is that by default LDAP users have write access to their own
> attributes. If LDAP is used to grant permissions, and those permissions
> are stored as user attributes (for example by using the ou), then an
> user can modify its own permissions, which is usually not wanted.
> 
> It's a Debian specific issue,

> [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761406

Use CVE-2014-9713 for this Debian specific issue.


> but the OpenLDAP documentation [2]
> actually recommends something like that.

> [2]: http://www.openldap.org/doc/admin24/guide.html#Basic%20ACLs

We think there might be a need for a second CVE related to this
upstream issue, because the recommendation is contained in a file
bundled with the upstream software distribution, i.e.,
doc/guide/admin/access-control.sdf in the
ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.40.tgz
file.

(Admittedly, CVEs for documentation are infrequent. CVE-2010-4179 is
one example.)

The essence of the issue is that it's easy for documentation readers
to infer that the Basic ACLs section, as well as essentially all of
the access-control.sdf file, is suggesting that "access to * by self
write" (with no earlier write restrictions) is a typically correct or
recommended design. It seems very unlikely that only Debian is facing
a related security impact.

On the other hand, if upstream believes that its existing
documentation is completely reasonable, then having a CVE for it could
be counterproductive.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVF5mJAAoJEKllVAevmvmsyjcH/RZ8v3D+WSZvt++b4PJTea5p
sRXkRRnJizcak2idk+nEunQdlxutnNtSmZW6CvC/JI2CWUkY0jKbzPi9vpOqrZKg
H6spjx9+WK3EixlUjm0CaOWeanjl0KAqItbkpYOPKAZofKSWUsCmDNjKHaI9/zJ2
WvPyhfxyEurPSUaf/u0tcZ3QNEo9Hmz4EVS2YmuFBFBFUgRHxzq1V1OhhT9+mFmP
ZNFBdF/HOCSLC/c2M0mvvDWo1scRl41vTsNp/JO8X1lmG/OAcaDjYoYgfQcg2GiU
GxGC5G95iOS77Mx/QBeZfGqBdeQpyiVU32s9shACr8fvLasvJ4I7/UGakyeq7qM=
=/YQE
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.