CVE-2015-1854
First published: Tue Apr 07 2015(Updated: )
An access control bypass flaw was found in modrdn. In particular if a user has a rdn like uid=username, then the user can change its own rdn to any value that is a superstring of the current name bypassing access control. This issue could be reproduced by the following: ldapmodrnd -Y GSSAPI -r uid=testuser,cn=users,cn=accounts,dc=test,dc=ipa uid=testuser_extended_without_permission The above succeeds and renames the user. No authentication whatsoever is necessary. An anonymous user can completely hose a server (if not worse) by just renaming any entry it pleases. If ACIs are employed to hide entries and those entries are targeted by name then it is also possible to reveal those contents by renaming the entry and falling off the ACI protection. Acknowledgements: This issue was discovered by Simo Sorce of Red Hat.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fedoraproject 389 Directory Server | <=1.3.3.9 | |
| Fedoraproject Fedora | =22 | |
| Debian Debian Linux | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://rhn.redhat.com/errata/RHSA-2015-0895.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1216203
- https://bugzilla.redhat.com/show_bug.cgi?id=1209573
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157069.html
- http://www.securityfocus.com/bid/74392
- https://access.redhat.com/errata/RHSA-2015:0895
- https://lists.debian.org/debian-lts-announce/2018/07/msg00018.html
- collector/redhat-bugzilla
- alias/CVE-2015-1854
- collector/nvd-index
- vendor/fedoraproject
- canonical/fedoraproject 389 directory server
- version/fedoraproject 389 directory server/1.3.3.9
- canonical/fedoraproject fedora
- version/fedoraproject fedora/22
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0