oss-sec mailing list archives
Re: CVE request (Debian specific): slapd: dangerous access rule in default config
From: cve-assign () mitre org
Date: Sun, 29 Mar 2015 02:24:23 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Debian bug #761406 was fixed in Debian sid some time ago, but no CVE was assigned. In order to raise some exposure, and make sure admins check/fix their config, we'll issue a DSA, so I'm requesting a CVE for this. The problem is that by default LDAP users have write access to their own attributes. If LDAP is used to grant permissions, and those permissions are stored as user attributes (for example by using the ou), then an user can modify its own permissions, which is usually not wanted. It's a Debian specific issue,
[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761406
Use CVE-2014-9713 for this Debian specific issue.
but the OpenLDAP documentation [2] actually recommends something like that.
[2]: http://www.openldap.org/doc/admin24/guide.html#Basic%20ACLs
We think there might be a need for a second CVE related to this upstream issue, because the recommendation is contained in a file bundled with the upstream software distribution, i.e., doc/guide/admin/access-control.sdf in the ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.40.tgz file. (Admittedly, CVEs for documentation are infrequent. CVE-2010-4179 is one example.) The essence of the issue is that it's easy for documentation readers to infer that the Basic ACLs section, as well as essentially all of the access-control.sdf file, is suggesting that "access to * by self write" (with no earlier write restrictions) is a typically correct or recommended design. It seems very unlikely that only Debian is facing a related security impact. On the other hand, if upstream believes that its existing documentation is completely reasonable, then having a CVE for it could be counterproductive. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVF5mJAAoJEKllVAevmvmsyjcH/RZ8v3D+WSZvt++b4PJTea5p sRXkRRnJizcak2idk+nEunQdlxutnNtSmZW6CvC/JI2CWUkY0jKbzPi9vpOqrZKg H6spjx9+WK3EixlUjm0CaOWeanjl0KAqItbkpYOPKAZofKSWUsCmDNjKHaI9/zJ2 WvPyhfxyEurPSUaf/u0tcZ3QNEo9Hmz4EVS2YmuFBFBFUgRHxzq1V1OhhT9+mFmP ZNFBdF/HOCSLC/c2M0mvvDWo1scRl41vTsNp/JO8X1lmG/OAcaDjYoYgfQcg2GiU GxGC5G95iOS77Mx/QBeZfGqBdeQpyiVU32s9shACr8fvLasvJ4I7/UGakyeq7qM= =/YQE -----END PGP SIGNATURE-----
Current thread:
- CVE request (Debian specific): slapd: dangerous access rule in default config Yves-Alexis Perez (Mar 28)
- Re: CVE request (Debian specific): slapd: dangerous access rule in default config cve-assign (Mar 28)