RHEL 7 : 389-ds-base (RHSA-2016:2594)

critical Nessus Plugin ID 94557

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2016:2594 advisory.

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.

The following packages have been upgraded to a newer upstream version: 389-ds-base (1.3.5.10).
(BZ#1270020)

Security Fix(es):

* It was found that 389 Directory Server was vulnerable to a flaw in which the default ACI (Access Control Instructions) could be read by an anonymous user. This could lead to leakage of sensitive information.
(CVE-2016-5416)

* An information disclosure flaw was found in 389 Directory Server. A user with no access to objects in certain LDAP sub-tree could send LDAP ADD operations with a specific object name. The error message returned to the user was different based on whether the target object existed or not. (CVE-2016-4992)

* It was found that 389 Directory Server was vulnerable to a remote password disclosure via timing attack.
A remote attacker could possibly use this flaw to retrieve directory server password after many tries.
(CVE-2016-5405)

The CVE-2016-5416 issue was discovered by Viktor Ashirov (Red Hat); the CVE-2016-4992 issue was discovered by Petr Spacek (Red Hat) and Martin Basti (Red Hat); and the CVE-2016-5405 issue was discovered by William Brown (Red Hat).

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?4165441c

http://www.nessus.org/u?da856a1b

https://access.redhat.com/errata/RHSA-2016:2594

https://access.redhat.com/security/updates/classification/#moderate

https://bugzilla.redhat.com/show_bug.cgi?id=1018944

https://bugzilla.redhat.com/show_bug.cgi?id=1143066

https://bugzilla.redhat.com/show_bug.cgi?id=1160902

https://bugzilla.redhat.com/show_bug.cgi?id=1196282

https://bugzilla.redhat.com/show_bug.cgi?id=1209128

https://bugzilla.redhat.com/show_bug.cgi?id=1210842

https://bugzilla.redhat.com/show_bug.cgi?id=1223510

https://bugzilla.redhat.com/show_bug.cgi?id=1229799

https://bugzilla.redhat.com/show_bug.cgi?id=1249908

https://bugzilla.redhat.com/show_bug.cgi?id=1254887

https://bugzilla.redhat.com/show_bug.cgi?id=1255557

https://bugzilla.redhat.com/show_bug.cgi?id=1257568

https://bugzilla.redhat.com/show_bug.cgi?id=1258610

https://bugzilla.redhat.com/show_bug.cgi?id=1335492

https://bugzilla.redhat.com/show_bug.cgi?id=1335618

https://bugzilla.redhat.com/show_bug.cgi?id=1338872

https://bugzilla.redhat.com/show_bug.cgi?id=1340307

https://bugzilla.redhat.com/show_bug.cgi?id=1342609

https://bugzilla.redhat.com/show_bug.cgi?id=1344414

https://bugzilla.redhat.com/show_bug.cgi?id=1347760

https://bugzilla.redhat.com/show_bug.cgi?id=1349540

https://bugzilla.redhat.com/show_bug.cgi?id=1349571

https://bugzilla.redhat.com/show_bug.cgi?id=1349577

https://bugzilla.redhat.com/show_bug.cgi?id=1350632

https://bugzilla.redhat.com/show_bug.cgi?id=1353592

https://bugzilla.redhat.com/show_bug.cgi?id=1353629

https://bugzilla.redhat.com/show_bug.cgi?id=1353714

https://bugzilla.redhat.com/show_bug.cgi?id=1354374

https://bugzilla.redhat.com/show_bug.cgi?id=1354660

https://bugzilla.redhat.com/show_bug.cgi?id=1355879

https://bugzilla.redhat.com/show_bug.cgi?id=1356261

https://bugzilla.redhat.com/show_bug.cgi?id=1358865

https://bugzilla.redhat.com/show_bug.cgi?id=1360327

https://bugzilla.redhat.com/show_bug.cgi?id=1360447

https://bugzilla.redhat.com/show_bug.cgi?id=1361134

https://bugzilla.redhat.com/show_bug.cgi?id=1361321

https://bugzilla.redhat.com/show_bug.cgi?id=1364190

https://bugzilla.redhat.com/show_bug.cgi?id=1368520

https://bugzilla.redhat.com/show_bug.cgi?id=1258611

https://bugzilla.redhat.com/show_bug.cgi?id=1259950

https://bugzilla.redhat.com/show_bug.cgi?id=1266510

https://bugzilla.redhat.com/show_bug.cgi?id=1266532

https://bugzilla.redhat.com/show_bug.cgi?id=1267750

https://bugzilla.redhat.com/show_bug.cgi?id=1269378

https://bugzilla.redhat.com/show_bug.cgi?id=1270020

https://bugzilla.redhat.com/show_bug.cgi?id=1271330

https://bugzilla.redhat.com/show_bug.cgi?id=1273142

https://bugzilla.redhat.com/show_bug.cgi?id=1273549

https://bugzilla.redhat.com/show_bug.cgi?id=1273550

https://bugzilla.redhat.com/show_bug.cgi?id=1273555

https://bugzilla.redhat.com/show_bug.cgi?id=1275763

https://bugzilla.redhat.com/show_bug.cgi?id=1278567

https://bugzilla.redhat.com/show_bug.cgi?id=1278584

https://bugzilla.redhat.com/show_bug.cgi?id=1278755

https://bugzilla.redhat.com/show_bug.cgi?id=1278987

https://bugzilla.redhat.com/show_bug.cgi?id=1280123

https://bugzilla.redhat.com/show_bug.cgi?id=1280456

https://bugzilla.redhat.com/show_bug.cgi?id=1288229

https://bugzilla.redhat.com/show_bug.cgi?id=1290101

https://bugzilla.redhat.com/show_bug.cgi?id=1290111

https://bugzilla.redhat.com/show_bug.cgi?id=1290141

https://bugzilla.redhat.com/show_bug.cgi?id=1290242

https://bugzilla.redhat.com/show_bug.cgi?id=1290600

https://bugzilla.redhat.com/show_bug.cgi?id=1296310

https://bugzilla.redhat.com/show_bug.cgi?id=1301097

https://bugzilla.redhat.com/show_bug.cgi?id=1302823

https://bugzilla.redhat.com/show_bug.cgi?id=1303641

https://bugzilla.redhat.com/show_bug.cgi?id=1303794

https://bugzilla.redhat.com/show_bug.cgi?id=1304682

https://bugzilla.redhat.com/show_bug.cgi?id=1307151

https://bugzilla.redhat.com/show_bug.cgi?id=1310848

https://bugzilla.redhat.com/show_bug.cgi?id=1312557

https://bugzilla.redhat.com/show_bug.cgi?id=1314557

https://bugzilla.redhat.com/show_bug.cgi?id=1314956

https://bugzilla.redhat.com/show_bug.cgi?id=1315893

https://bugzilla.redhat.com/show_bug.cgi?id=1316328

https://bugzilla.redhat.com/show_bug.cgi?id=1316580

https://bugzilla.redhat.com/show_bug.cgi?id=1316731

https://bugzilla.redhat.com/show_bug.cgi?id=1316741

https://bugzilla.redhat.com/show_bug.cgi?id=1316742

https://bugzilla.redhat.com/show_bug.cgi?id=1319329

https://bugzilla.redhat.com/show_bug.cgi?id=1320295

https://bugzilla.redhat.com/show_bug.cgi?id=1320715

https://bugzilla.redhat.com/show_bug.cgi?id=1321124

https://bugzilla.redhat.com/show_bug.cgi?id=1326077

https://bugzilla.redhat.com/show_bug.cgi?id=1326520

https://bugzilla.redhat.com/show_bug.cgi?id=1328936

https://bugzilla.redhat.com/show_bug.cgi?id=1329061

https://bugzilla.redhat.com/show_bug.cgi?id=1331343

https://bugzilla.redhat.com/show_bug.cgi?id=1332533

https://bugzilla.redhat.com/show_bug.cgi?id=1332709

https://bugzilla.redhat.com/show_bug.cgi?id=1333184

https://bugzilla.redhat.com/show_bug.cgi?id=1333515

https://bugzilla.redhat.com/show_bug.cgi?id=1334455

https://bugzilla.redhat.com/show_bug.cgi?id=1368956

https://bugzilla.redhat.com/show_bug.cgi?id=1369537

https://bugzilla.redhat.com/show_bug.cgi?id=1369570

https://bugzilla.redhat.com/show_bug.cgi?id=1370300

https://bugzilla.redhat.com/show_bug.cgi?id=1371283

https://bugzilla.redhat.com/show_bug.cgi?id=1371284

https://bugzilla.redhat.com/show_bug.cgi?id=190862

Plugin Details

Severity: Critical

ID: 94557

File Name: redhat-RHSA-2016-2594.nasl

Version: 2.13

Type: local

Agent: unix

Published: 11/4/2016

Updated: 11/4/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2016-5416

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2016-5405

Vulnerability Information

CPE: cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:389-ds-base, p-cpe:/a:redhat:enterprise_linux:389-ds-base-snmp, p-cpe:/a:redhat:enterprise_linux:389-ds-base-devel, p-cpe:/a:redhat:enterprise_linux:389-ds-base-libs

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 11/3/2016

Vulnerability Publication Date: 6/8/2017

Reference Information

CVE: CVE-2016-4992, CVE-2016-5405, CVE-2016-5416

CWE: 200, 209, 385

RHSA: 2016:2594