The BDB backend for slapd in OpenLDAP before 2.3.36 allows remote authenticated users to cause a denial of service (crash) via a potentially-successful modify operation with the NOOP control set to critical, possibly due to a double free vulnerability.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2008-0110 advisory.

    [2.3.27-8.3]
     - better fix for CVE-2007-6698 (#431407), now it fixes also        modrdn operations

     [2.3.27-8.2]
     - fix CVE-2007-6698 (#431407)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

These updated openldap packages fix a flaw in the way the OpenLDAP slapd daemon handled modify and modrdn requests with NOOP control on objects stored in a Berkeley DB (BDB) storage backend. An authenticated attacker with permission to perform modify or modrdn operations on such LDAP objects could cause slapd to crash.
(CVE-2007-6698, CVE-2008-0658)

The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2009-006 applied.

This security update contains fixes for the following products :

  - AFP Client
  - Adaptive Firewall
  - Apache
  - Apache Portable Runtime
  - ATS
  - Certificate Assistant
  - CoreGraphics
  - CUPS
  - Dictionary
  - DirectoryService
  - Disk Images
  - Event Monitor
  - fetchmail
  - FTP Server
  - Help Viewer
  - International Components for Unicode
  - IOKit
  - IPSec
  - libsecurity
  - libxml
  - OpenLDAP
  - OpenSSH
  - PHP
  - QuickDraw Manager
  - QuickLook
  - FreeRADIUS
  - Screen Sharing
  - Spotlight
  - Subversion

Authenticated users could crash the LDAP server 'slapd' via the 'NOOP' command. (CVE-2007-6698 / CVE-2008-0658)

A vulnerability was found in slapo-pcache in slapd of OpenLDAP prior to 2.3.39 when running as a proxy-caching server. It would allocate memory using a malloc variant rather than calloc, which prevented an array from being properly initialized and could possibly allow attackers to cause a denial of service (CVE-2007-5708).

Two vulnerabilities were found in how slapd handled modify (prior to 2.3.26) and modrdn (prior to 2.3.29) requests with NOOP control on objects stored in the BDB backend. An authenticated user with permission to perform modify (CVE-2007-6698) or modrdn (CVE-2008-0658) operations could cause slapd to crash.

The updated packages have been patched to correct these issues.

Authenticated users could crash the LDAP server 'slapd' via the 'NOOP' command (CVE-2007-6698,CVE-2008-0658)

Several remote vulnerabilities have been discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2007-5707     Thomas Sesselmann discovered that slapd could be crashed     by a malformed modify requests.

  - CVE-2007-5708     Toby Blade discovered that incorrect memory handling in     slapo-pcache could lead to denial of service through     crafted search requests.

  - CVE-2007-6698     It was discovered that a programming error in the     interface to the BDB storage backend could lead to     denial of service through crafted modify requests.

  - CVE-2008-0658     It was discovered that a programming error in the     interface to the BDB storage backend could lead to     denial of service through crafted modrdn requests.

Jonathan Clarke discovered that the OpenLDAP slapd server did not properly handle modify requests when using the Berkeley DB backend and specifying the NOOP control. An authenticated user with modify permissions could send a crafted modify request and cause a denial of service via application crash. Ubuntu 7.10 is not affected by this issue. (CVE-2007-6698)

Ralf Haferkamp discovered that the OpenLDAP slapd server did not properly handle modrdn requests when using the Berkeley DB backend and specifying the NOOP control. An authenticated user with modrdn permissions could send a crafted modrdn request and possibly cause a denial of service via application crash. (CVE-2007-6698).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated openldap packages that fix security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

OpenLDAP is an open source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. LDAP is a set of protocols for accessing directory services.

These updated openldap packages fix a flaw in the way the OpenLDAP slapd daemon handled modify and modrdn requests with NOOP control on objects stored in a Berkeley DB (BDB) storage backend. An authenticated attacker with permission to perform modify or modrdn operations on such LDAP objects could cause slapd to crash.
(CVE-2007-6698, CVE-2008-0658)

Users of openldap should upgrade to these updated packages, which contain a backported patch to correct this issue.

- Tue Feb 5 2008 Jan Safranek <jsafranek at redhat.com>     2.3.34-6

    - fix CVE-2007-6698 (#431409)

    - Mon Jan 14 2008 Jan Safranek <jsafranek at redhat.com>       2.3.34-5

    - fix default slurpd directory to /var/lib/ldap       (#424831)

    - Fri Nov 2 2007 Jan Safranek <jsafranek at redhat.com>       2.3.34-4

    - fix various security flaws (#360081)

    - Fri Jul 13 2007 Jan Safranek <jsafranek at redhat.com>       2.3.34-3

    - Fix initscript return codes (#242667)

    - Provide overlays including smbk5pwd (as modules;
      #246036, #245896, #220895)

    - Add available modules to config file

    - do not create script in /tmp on startup (bz#188298)

    - add compat-slapcat to openldap-compat (bz#179378)

    - do not import ddp services with migrate_services.pl       (bz#201183)

  - sort the hosts by address, preventing duplicities in     migrate*nis*.pl (bz#201540)

  - start slupd for each replicated database (bz#210155)

    - add ldconfig to devel post/postun (bz#240253)

    - include misc.schema in default slapd.conf (bz#147805)

    - Mon Apr 23 2007 Jan Safranek <jsafranek at redhat.com>       2.3.34-2

    - slapadd during package update is now quiet (bz#224581)

    - use _localstatedir instead of var/ during build       (bz#220970)

    - bind-libbind-devel removed from BuildRequires       (bz#216851)

    - slaptest is now quiet during service ldap start, if       there is no error/warning (bz#143697)

  - libldap_r.so now links with pthread (bz#198226)

    - do not strip binaries to produce correct .debuginfo       packages (bz#152516)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
67650	Oracle Linux 5 : Moderate: / openldap (ELSA-2008-0110)	Nessus	Oracle Linux Local Security Checks	medium
60361	Scientific Linux Security Update : openldap on SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
42433	Mac OS X Multiple Vulnerabilities (Security Update 2009-006)	Nessus	MacOS X Local Security Checks	critical
41197	SuSE9 Security Update : OpenLDAP 2 (YOU Patch Number 12075)	Nessus	SuSE Local Security Checks	medium
37371	Mandriva Linux Security Advisory : openldap (MDVSA-2008:058)	Nessus	Mandriva Local Security Checks	high
32079	openSUSE 10 Security Update : openldap2 (openldap2-4999)	Nessus	SuSE Local Security Checks	medium
32078	SuSE 10 Security Update : OpenLDAP 2 (ZYPP Patch Number 4989)	Nessus	SuSE Local Security Checks	medium
31811	Debian DSA-1541-1 : openldap2.3 - several vulnerabilities	Nessus	Debian Local Security Checks	high
31406	Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : openldap2.2, openldap2.3 vulnerabilities (USN-584-1)	Nessus	Ubuntu Local Security Checks	medium
31159	RHEL 4 / 5 : openldap (RHSA-2008:0110)	Nessus	Red Hat Local Security Checks	medium
31138	CentOS 4 / 5 : openldap (CESA-2008:0110)	Nessus	CentOS Local Security Checks	medium
30236	Fedora 7 : openldap-2.3.34-6.fc7 (2008-1307)	Nessus	Fedora Local Security Checks	medium

Detections

Analytics

CVE-2007-6698

high

Tenable Plugins

medium

medium

critical

medium

high

medium

medium

high

medium

medium

medium

medium