ID CVE-2018-1054
Summary An out-of-bounds memory read flaw was found in the way 389-ds-base handled certain LDAP search filters, affecting all versions including 1.4.x. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service.
References
Vulnerable Configurations
  • Fedora Project 389 Directory Server 1.4.0.6
    cpe:2.3:a:fedoraproject:389_directory_server:1.4.0.6
  • Red Hat Enterprise Linux Desktop 6.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0
  • RedHat Enterprise Linux Desktop 7.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  • Red Hat Enterprise Linux Server 6.0
    cpe:2.3:o:redhat:enterprise_linux_server:6.0
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • Red Hat Enterprise Linux Server 7.4
    cpe:2.3:o:redhat:enterprise_linux_server:7.4
  • Red Hat Enterprise Linux Workstation 6.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0
  • RedHat Enterprise Linux Workstation 7.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0
CVSS
Base: 5.0
Impact:
Exploitability:
CWE CWE-125
CAPEC
  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1428.NASL
    description CVE-2015-1854 A flaw was found while doing authorization of modrdn operations. An unauthenticated attacker able to issue an ldapmodrdn call to the directory server could perform unauthorized modifications of entries in the directory server. CVE-2017-15134 Improper handling of a search filter in slapi_filter_sprintf() in slapd/util.c can lead to remote server crash and denial of service. CVE-2018-1054 When read access on is enabled, a flaw in SetUnicodeStringFromUTF_8 function in collate.c, can lead to out-of-bounds memory operations. This might result in a server crash, caused by unauthorized users. CVE-2018-1089 Any user (anonymous or authenticated) can crash ns-slapd with a crafted ldapsearch query with very long filter value. CVE-2018-10850 Due to a race condition the server could crash in turbo mode (because of high traffic) or when a worker reads several requests in the read buffer (more_data). Thus an anonymous attacker could trigger a denial of service. For Debian 8 'Jessie', these problems have been fixed in version 1.3.3.5-4+deb8u1. We recommend that you upgrade your 389-ds-base packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-08
    plugin id 111086
    published 2018-07-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111086
    title Debian DLA-1428-1 : 389-ds-base security update
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180313_389_DS_BASE_ON_SL6_X.NASL
    description Security Fix(es) : - 389-ds-base: remote Denial of Service (DoS) via search filters in SetUnicodeStringFromUTF_8 in collate.c (CVE-2018-1054) - 389-ds-base: Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c (CVE-2017-15135)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 108363
    published 2018-03-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108363
    title Scientific Linux Security Update : 389-ds-base on SL6.x i386/x86_64
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2018-980.NASL
    description Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c : It was found that 389-ds-base did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass the authentication process under very rare and specific circumstances. (CVE-2017-15135) Remote Denial of Service (DoS) via search filters in SetUnicodeStringFromUTF_8 in collate.c : An out-of-bounds memory read flaw was found in the way 389-ds-base handled certain LDAP search filters. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service. (CVE-2018-1054)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 109134
    published 2018-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109134
    title Amazon Linux 2 : 389-ds-base (ALAS-2018-980)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-0414.NASL
    description An update for 389-ds-base is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. Security Fix(es) : * 389-ds-base: remote Denial of Service (DoS) via search filters in SetUnicodeStringFromUTF_8 in collate.c (CVE-2018-1054) * 389-ds-base: Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c (CVE-2017-15135) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2017-15135 issue was discovered by Martin Poole (Red Hat). Bug Fix(es) : * Previously, if an administrator configured an index for an attribute with a specific matching rule in the 'nsMatchingRule' parameter, Directory Server did not use the retrieved indexer. As a consequence, Directory Server did not index the values of this attribute with the specified matching rules, and searches with extended filters were unindexed. With this update, Directory Server uses the retrieved indexer that processes the specified matching rule. As a result, searches using extended filters with a specified matching rule are now indexed. (BZ#1536343)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 107273
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107273
    title CentOS 7 : 389-ds-base (CESA-2018:0414)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-0414.NASL
    description From Red Hat Security Advisory 2018:0414 : An update for 389-ds-base is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. Security Fix(es) : * 389-ds-base: remote Denial of Service (DoS) via search filters in SetUnicodeStringFromUTF_8 in collate.c (CVE-2018-1054) * 389-ds-base: Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c (CVE-2017-15135) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2017-15135 issue was discovered by Martin Poole (Red Hat). Bug Fix(es) : * Previously, if an administrator configured an index for an attribute with a specific matching rule in the 'nsMatchingRule' parameter, Directory Server did not use the retrieved indexer. As a consequence, Directory Server did not index the values of this attribute with the specified matching rules, and searches with extended filters were unindexed. With this update, Directory Server uses the retrieved indexer that processes the specified matching rule. As a result, searches using extended filters with a specified matching rule are now indexed. (BZ#1536343)
    last seen 2019-02-21
    modified 2018-03-28
    plugin id 107205
    published 2018-03-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107205
    title Oracle Linux 7 : 389-ds-base (ELSA-2018-0414)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0414.NASL
    description An update for 389-ds-base is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. Security Fix(es) : * 389-ds-base: remote Denial of Service (DoS) via search filters in SetUnicodeStringFromUTF_8 in collate.c (CVE-2018-1054) * 389-ds-base: Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c (CVE-2017-15135) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2017-15135 issue was discovered by Martin Poole (Red Hat). Bug Fix(es) : * Previously, if an administrator configured an index for an attribute with a specific matching rule in the 'nsMatchingRule' parameter, Directory Server did not use the retrieved indexer. As a consequence, Directory Server did not index the values of this attribute with the specified matching rules, and searches with extended filters were unindexed. With this update, Directory Server uses the retrieved indexer that processes the specified matching rule. As a result, searches using extended filters with a specified matching rule are now indexed. (BZ#1536343)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 107190
    published 2018-03-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107190
    title RHEL 7 : 389-ds-base (RHSA-2018:0414)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1076.NASL
    description According to the versions of the 389-ds-base packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that 389-ds-base since 1.3.6.1 up to and including 1.4.0.3 did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass the authentication process under very rare and specific circumstances.(CVE-2017-15135) - An out-of-bounds memory read flaw was found in the way 389-ds-base handled certain LDAP search filters. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service.(CVE-2018-1054) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 109474
    published 2018-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109474
    title EulerOS 2.0 SP1 : 389-ds-base (EulerOS-SA-2018-1076)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-0515.NASL
    description An update for 389-ds-base is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. Security Fix(es) : * 389-ds-base: remote Denial of Service (DoS) via search filters in SetUnicodeStringFromUTF_8 in collate.c (CVE-2018-1054) * 389-ds-base: Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c (CVE-2017-15135) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2017-15135 issue was discovered by Martin Poole (Red Hat).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 108342
    published 2018-03-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108342
    title CentOS 6 : 389-ds-base (CESA-2018:0515)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180306_389_DS_BASE_ON_SL7_X.NASL
    description Security Fix(es) : - 389-ds-base: remote Denial of Service (DoS) via search filters in SetUnicodeStringFromUTF_8 in collate.c (CVE-2018-1054) - 389-ds-base: Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c (CVE-2017-15135) Bug Fix(es) : - Previously, if an administrator configured an index for an attribute with a specific matching rule in the 'nsMatchingRule' parameter, Directory Server did not use the retrieved indexer. As a consequence, Directory Server did not index the values of this attribute with the specified matching rules, and searches with extended filters were unindexed. With this update, Directory Server uses the retrieved indexer that processes the specified matching rule. As a result, searches using extended filters with a specified matching rule are now indexed.
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 107209
    published 2018-03-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107209
    title Scientific Linux Security Update : 389-ds-base on SL7.x x86_64
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1077.NASL
    description According to the versions of the 389-ds-base packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that 389-ds-base since 1.3.6.1 up to and including 1.4.0.3 did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass the authentication process under very rare and specific circumstances.(CVE-2017-15135) - An out-of-bounds memory read flaw was found in the way 389-ds-base handled certain LDAP search filters. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service.(CVE-2018-1054) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 109475
    published 2018-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109475
    title EulerOS 2.0 SP2 : 389-ds-base (EulerOS-SA-2018-1077)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0515.NASL
    description An update for 389-ds-base is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. Security Fix(es) : * 389-ds-base: remote Denial of Service (DoS) via search filters in SetUnicodeStringFromUTF_8 in collate.c (CVE-2018-1054) * 389-ds-base: Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c (CVE-2017-15135) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2017-15135 issue was discovered by Martin Poole (Red Hat).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 108330
    published 2018-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108330
    title RHEL 6 : 389-ds-base (RHSA-2018:0515)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-0515.NASL
    description From Red Hat Security Advisory 2018:0515 : An update for 389-ds-base is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. Security Fix(es) : * 389-ds-base: remote Denial of Service (DoS) via search filters in SetUnicodeStringFromUTF_8 in collate.c (CVE-2018-1054) * 389-ds-base: Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c (CVE-2017-15135) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2017-15135 issue was discovered by Martin Poole (Red Hat).
    last seen 2019-02-21
    modified 2018-03-28
    plugin id 108320
    published 2018-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108320
    title Oracle Linux 6 : 389-ds-base (ELSA-2018-0515)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-980.NASL
    description Authentication bypass due to lack of size check in slapi_ct_memcmp function in ch_malloc.c : It was found that 389-ds-base did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass the authentication process under very rare and specific circumstances. (CVE-2017-15135) Remote Denial of Service (DoS) via search filters in SetUnicodeStringFromUTF_8 in collate.c : An out-of-bounds memory read flaw was found in the way 389-ds-base handled certain LDAP search filters. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service. (CVE-2018-1054 )
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 108844
    published 2018-04-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108844
    title Amazon Linux AMI : 389-ds-base (ALAS-2018-980)
redhat via4
advisories
  • bugzilla
    id 1537314
    title CVE-2018-1054 389-ds-base: remote Denial of Service (DoS) via search filters in SetUnicodeStringFromUTF_8 in collate.c
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment 389-ds-base is earlier than 0:1.3.6.1-28.el7_4
          oval oval:com.redhat.rhsa:tst:20180414005
        • comment 389-ds-base is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20151554010
      • AND
        • comment 389-ds-base-devel is earlier than 0:1.3.6.1-28.el7_4
          oval oval:com.redhat.rhsa:tst:20180414009
        • comment 389-ds-base-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20151554006
      • AND
        • comment 389-ds-base-libs is earlier than 0:1.3.6.1-28.el7_4
          oval oval:com.redhat.rhsa:tst:20180414007
        • comment 389-ds-base-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20151554008
      • AND
        • comment 389-ds-base-snmp is earlier than 0:1.3.6.1-28.el7_4
          oval oval:com.redhat.rhsa:tst:20180414011
        • comment 389-ds-base-snmp is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20162594010
    rhsa
    id RHSA-2018:0414
    released 2018-03-06
    severity Important
    title RHSA-2018:0414: 389-ds-base security and bug fix update (Important)
  • bugzilla
    id 1537314
    title CVE-2018-1054 389-ds-base: remote Denial of Service (DoS) via search filters in SetUnicodeStringFromUTF_8 in collate.c
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment 389-ds-base is earlier than 0:1.2.11.15-94.el6_9
          oval oval:com.redhat.rhsa:tst:20180515007
        • comment 389-ds-base is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20151554010
      • AND
        • comment 389-ds-base-devel is earlier than 0:1.2.11.15-94.el6_9
          oval oval:com.redhat.rhsa:tst:20180515009
        • comment 389-ds-base-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20151554006
      • AND
        • comment 389-ds-base-libs is earlier than 0:1.2.11.15-94.el6_9
          oval oval:com.redhat.rhsa:tst:20180515005
        • comment 389-ds-base-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20151554008
    rhsa
    id RHSA-2018:0515
    released 2018-03-13
    severity Important
    title RHSA-2018:0515: 389-ds-base security update (Important)
rpms
  • 389-ds-base-0:1.3.6.1-28.el7_4
  • 389-ds-base-devel-0:1.3.6.1-28.el7_4
  • 389-ds-base-libs-0:1.3.6.1-28.el7_4
  • 389-ds-base-snmp-0:1.3.6.1-28.el7_4
  • 389-ds-base-0:1.2.11.15-94.el6_9
  • 389-ds-base-devel-0:1.2.11.15-94.el6_9
  • 389-ds-base-libs-0:1.2.11.15-94.el6_9
refmap via4
bid 103228
confirm
mlist [debian-lts-announce] 20180715 [SECURITY] [DLA 1428-1] 389-ds-base security update
Last major update 07-03-2018 - 08:29
Published 07-03-2018 - 08:29
Last modified 16-07-2018 - 21:29
Back to Top