REDHAT-BUG-1095976
First published: Fri May 09 2014(Updated: )
Created <span class=""><a href="attachment.cgi?id=893821&action=diff" name="attach_893821" title="">attachment 893821</a> <a href="attachment.cgi?id=893821&action=edit" title="">[details]</a></span> proposed fix Description of problem: The nss-pam-ldapd daemon nslcd can be configured to find ldap servers via SRV lookups on a domain. With this configuration, a crash seen when starting nslcd can be caused by a number of specific SRV records presented to ldap_domain2hostlist(). The records are a set of 5+ SRV records for _ldap._tcp, all with a 5-digit port number, i.e. 12345. [root@auto1 ~]# dig SRV _ldap._tcp.rodan.local | grep ldap ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> SRV _ldap._tcp.rodan.local ;_ldap._tcp.rodan.local. IN SRV _ldap._tcp.rodan.local. 3600 IN SRV 1 5 15001 activedirectory2.rodan.local. _ldap._tcp.rodan.local. 3600 IN SRV 1 5 15001 activedirectory3.rodan.local. _ldap._tcp.rodan.local. 3600 IN SRV 1 5 15001 activedirectory4.rodan.local. _ldap._tcp.rodan.local. 3600 IN SRV 0 5 15001 ads.rodan.local. _ldap._tcp.rodan.local. 3600 IN SRV 0 5 15001 ads2.rodan.local. _ldap._tcp.rodan.local. 3600 IN SRV 0 5 15001 ads3.rodan.local. _ldap._tcp.rodan.local. 3600 IN SRV 1 5 15001 activedirectory.rodan.local. On startup this crash happens most of the time, and can appear differently: [root@auto1 ~]# nslcd -d nslcd: DEBUG: query rodan.local for SRV records *** glibc detected *** nslcd: realloc(): invalid next size: 0x0000000001e29480 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x76166)[0x7fda91c7a166] /lib64/libc.so.6(+0x7bc17)[0x7fda91c7fc17] /lib64/libc.so.6(realloc+0xe5)[0x7fda91c7fdd5] /lib64/liblber-2.4.so.2(ber_memrealloc_x+0x2a)[0x7fda919fd87a] /lib64/libldap_r-2.4.so.2(ldap_domain2hostlist+0x423)[0x7fda92400f33] nslcd[0x407fb1] nslcd[0x408c0e] nslcd[0x40a21d] nslcd[0x403a75] /lib64/libc.so.6(__libc_start_main+0xfd)[0x7fda91c22d1d] nslcd[0x402d39] ======= Memory map: ======== 00400000-0041d000 r-xp 00000000 fd:00 405486 /usr/sbin/nslcd 0061d000-0061e000 rw-p 0001d000 fd:00 405486 /usr/sbin/nslcd 01e28000-01e49000 rw-p 00000000 00:00 0 [heap] 7fda8ed94000-7fda8ee05000 r-xp 00000000 fd:00 261638 /lib64/libfreebl3.so ... [root@auto1 ~]# nslcd -d nslcd: DEBUG: query rodan.local for SRV records *** glibc detected *** nslcd: realloc(): invalid next size: 0x00000000023b3480 *** *** glibc detected *** nslcd: malloc(): memory corruption: 0x00000000023b34f0 *** ^C [root@auto1 ~]# nslcd -d nslcd: DEBUG: query rodan.local for SRV records *** glibc detected *** nslcd: realloc(): invalid next size: 0x00000000020bd480 *** *** glibc detected *** nslcd: malloc(): memory corruption: 0x00000000020bd4f0 *** ^C [root@auto1 ~]# nslcd -d nslcd: DEBUG: query rodan.local for SRV records nslcd: DEBUG: add_uris_from_dns(): found uri: ldap://activedirectory4.rodan.local:15001 nslcd: DEBUG: add_uri(ldap://activedirectory4.rodan.local:15001) nslcd: DEBUG: add_uris_from_dns(): found uri: ldap://activedirectory.rodan.local:15001 nslcd: DEBUG: add_uri(ldap://activedirectory.rodan.local:15001) nslcd: DEBUG: add_uris_from_dns(): found uri: ldap://activedirectory3.rodan.local:15001 nslcd: DEBUG: add_uri(ldap://activedirectory3.rodan.local:15001) nslcd: DEBUG: add_uris_from_dns(): found uri: ldap://activedirectory2.rodan.local:15001 nslcd: DEBUG: add_uri(ldap://activedirectory2.rodan.local:15001) nslcd: DEBUG: add_uris_from_dns(): found uri: ldap://ads.rodan.local:15001 nslcd: DEBUG: add_uri(ldap://ads.rodan.local:15001) nslcd: DEBUG: add_uris_from_dns(): found uri: ldap://ads2.rodan.local:15001 nslcd: DEBUG: add_uri(ldap://ads2.rodan.local:15001) nslcd: DEBUG: add_uris_from_dns(): found uri: ldap://ads3.rodan.local:15001 The crash is related to the maximum length of a port specified in the SRV record. Any 4 digit or less ports did not crash with the same entries, so I suspected that in ldap_domain2hostlist(), doing STRLENOF(":65355") with the 5 digit port ends up missing a byte. It also only starts to show up when there are 5 or more entries in the host list, as it appears that the sprintf at the end of the hostent_count loop needs to be called enough times for this to corrupt the hostlist array. With a larger number of entries the crash would probably have a greater chance of happening. I'm attaching a patch that changes STRLENOF to sizeof, to account for the proper length needed in the buffer for a max length port. With the patch I tested multiple restarts of nslcd against the records and I wasn't able to reproduce the crash. I think this bug should be evaluated as a possible CVE. In the event of DNS hijacking/spoofing, a malicious nameserver presenting these specific SRV records may be able to cause a DoS to ldap services that utilize ldap_domain2hostlist(). Version-Release number of selected component (if applicable): openldap-2.4.23-34.el6_5.1 How reproducible: 1. Create SRV records in DNS as specified above 2. Configure nslcd to do SRV lookups to locate an ldap server (in /etc/nslcd.conf, set 'uri:DNS:domain') 3. Start nslcd in foreground debug mode (nslcd -d)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat OpenLDAP Servers |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=893821&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=893821&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1095976#c7
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1095976
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1095976#c9
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=733078
- http://www.openldap.org/its/index.cgi/Incoming?id=7027;page=8
- http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=7027
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blobdiff;f=libraries/libldap/dnssrv.c;h=de849e30d5b01ae855853c79e88fb06d7aea1137;hp=6d1bfa8e3c2b05ca5ed0ebebc00c3a30086bca95;hb=31995b535e10c45e698b62d39db998c51f799327;hpb=5de85b922aaa5bfa6eb53db6000adf01ebdb0736
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1095976#c19
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blobdiff
- http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=eef1ca007f60fdcb9b5368608e87dd0b2404bceb
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1164369
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1095976#c22
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=733435
- https://rhn.redhat.com/errata/RHBA-2015-1292.html
- https://rhn.redhat.com/errata/RHSA-2015-2131.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1095976
Frequently Asked Questions
What is the severity of REDHAT-BUG-1095976?
The severity of REDHAT-BUG-1095976 has not been explicitly stated but it involves the nss-pam-ldapd daemon which can affect security if misconfigured.
How do I fix REDHAT-BUG-1095976?
To fix REDHAT-BUG-1095976, apply the proposed patch that addresses the configuration issues in nslcd.
What products are affected by REDHAT-BUG-1095976?
REDHAT-BUG-1095976 primarily affects the OpenLDAP openldap software.
What is the main issue described in REDHAT-BUG-1095976?
The main issue in REDHAT-BUG-1095976 relates to the configuration vulnerabilities of the nss-pam-ldapd daemon nslcd.
Is there any workaround for REDHAT-BUG-1095976?
Currently, a specific workaround for REDHAT-BUG-1095976 has not been detailed, so applying the patch is recommended.
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-8182
- agent/severity
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/openldap
- canonical/red hat openldap servers