The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of OpenLDAP

computer vulnerability note CVE-2019-13057

OpenLDAP: privilege escalation via rootDN

Synthesis of the vulnerability

An attacker can bypass restrictions via rootDN of OpenLDAP, in order to escalate his privileges.
Impacted products: Debian, OpenLDAP, Ubuntu.
Severity: 1/4.
Consequences: privileged access/rights.
Provenance: privileged account.
Creation date: 29/07/2019.
Identifiers: 9038, CVE-2019-13057, DLA-1891-1, USN-4078-1, USN-4078-2, VIGILANCE-VUL-29899.

Description of the vulnerability

An attacker can bypass restrictions via rootDN of OpenLDAP, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-17740

OpenLDAP: use after free via nops/memberof MODDN

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area via nops/memberof of OpenLDAP, in order to trigger a denial of service, and possibly to run code.
Impacted products: OpenLDAP, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: intranet client.
Creation date: 19/12/2017.
Identifiers: 8759, CVE-2017-17740, SUSE-SU-2018:4150-1, SUSE-SU-2019:0931-1, VIGILANCE-VUL-24806.

Description of the vulnerability

An attacker can force the usage of a freed memory area via nops/memberof of OpenLDAP, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-14159

OpenLDAP: denial of service via PID File

Synthesis of the vulnerability

An attacker can generate a fatal error via PID File of OpenLDAP, in order to trigger a denial of service.
Impacted products: OpenLDAP.
Severity: 1/4.
Consequences: denial of service on service, denial of service on client.
Provenance: user shell.
Creation date: 12/09/2017.
Identifiers: 8703, CVE-2017-14159, VIGILANCE-VUL-23806.

Description of the vulnerability

An attacker can generate a fatal error via PID File of OpenLDAP, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-9287

OpenLDAP: denial of service via the search option "Paged Results"

Synthesis of the vulnerability

An attacker can generate a fatal error via the search option "Paged Results" in OpenLDAP, in order to trigger a denial of service.
Impacted products: Debian, Fedora, OpenLDAP, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: intranet client.
Creation date: 30/05/2017.
Identifiers: 8655, CVE-2017-9287, DLA-972-1, DSA-3868-1, FEDORA-2017-1ca18683e4, openSUSE-SU-2017:2181-1, RHSA-2017:1852-01, SUSE-SU-2019:0931-1, USN-3307-1, USN-3307-2, VIGILANCE-VUL-22861.

Description of the vulnerability

An attacker can generate a fatal error via the search option "Paged Results" in OpenLDAP, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2015-3276

OpenLDAP: incorrect algorithm choice for TLS in multi-keyword

Synthesis of the vulnerability

An attacker can force the TLS session of OpenLDAP to choose a weaker algorithm if the configured cipherstring contains several keywords, in order to more easily attack this session.
Impacted products: Fedora, OpenLDAP, RHEL.
Severity: 1/4.
Consequences: data reading.
Provenance: intranet server.
Creation date: 20/11/2015.
Identifiers: 1238322, CVE-2015-3276, FEDORA-2017-ceb1b8659e, RHSA-2015:2131-03, VIGILANCE-VUL-18342.

Description of the vulnerability

The TLS configuration of OpenLDAP can use a cipherstring containing several keywords. For example "ECDH+SHA".

However, the logic implemented by the nss_parse_ciphers() function of libldap/tls_m.c uses a logical OR instead of an AND when there are several keywords. For example, "DES-CBC-SHA" is selected because it contains SHA, but it does not contain ECDH.

An attacker can therefore force the TLS session of OpenLDAP to choose a weaker algorithm if the configured cipherstring contains several keywords, in order to more easily attack this session.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-6908

OpenLDAP: denial of service via ber_get_next

Synthesis of the vulnerability

An attacker can send a malicious LDAP packet, to force an assertion error in the ber_get_next() function of OpenLDAP, in order to trigger a denial of service.
Impacted products: Debian, OpenLDAP, openSUSE, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 10/09/2015.
Identifiers: CERTFR-2015-AVI-388, CVE-2015-6908, DSA-3356-1, ITS#8240, openSUSE-SU-2016:0226-1, openSUSE-SU-2016:0255-1, openSUSE-SU-2016:0261-1, RHSA-2015:1840-01, SUSE-SU-2016:0224-1, USN-2742-1, VIGILANCE-VUL-17868.

Description of the vulnerability

The LDAP protocol uses the ASN.1 format, with a BER encoding.

The ber_get_next() function of the libraries/liblber/io.c file of OpenLDAP browses data, and decodes a BER record. However, when the pointer is outside the data area, an assertion error occurs because developers did not except this case, which stops the process.

An attacker can therefore send a malicious LDAP packet, to force an assertion error in the ber_get_next() function of OpenLDAP, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2015-1546

OpenLDAP: use after free via Matched Values

Synthesis of the vulnerability

An attacker can force the usage of a freed memory area in Matched Values of OpenLDAP, in order to trigger a denial of service, and possibly to execute code.
Impacted products: OpenLDAP, openSUSE.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights, denial of service on service.
Provenance: intranet client.
Creation date: 06/02/2015.
Identifiers: 776991, 8046, CVE-2015-1546, MDVSA-2015:073, openSUSE-SU-2015:1325-1, VIGILANCE-VUL-16125.

Description of the vulnerability

The OpenLDAP directory supports Matched Values queries using a filter. For example: ldapsearch -E 'mv=(sn=*)'.

However, when the filter is invalid, the get_vrFilter() function of the servers/slapd/filter.c file frees a memory area before reusing it.

An attacker can therefore force the usage of a freed memory area in Matched Values of OpenLDAP, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-1545

OpenLDAP: NULL pointer dereference via deref

Synthesis of the vulnerability

An attacker can force a NULL pointer to be dereferenced in the deref overlay of OpenLDAP, in order to trigger a denial of service.
Impacted products: Debian, Fedora, OpenLDAP, openSUSE, Solaris, Ubuntu.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 06/02/2015.
Identifiers: 8027, bulletinjul2015, CVE-2015-1545, DSA-3209-1, FEDORA-2015-2055, MDVSA-2015:073, MDVSA-2015:074, openSUSE-SU-2015:1325-1, USN-2622-1, VIGILANCE-VUL-16124.

Description of the vulnerability

The OpenLDAP directory supports the overlay (additional feature) "deref" (if compiled with --enable-deref) which returns information from a reference of a search result. For example: ldapsearch -E 'deref=member:entryUUID'.

However, if the requested attribute is empty, the deref_parseCtrl() function of the servers/slapd/overlays/deref.c file does not check if a pointer is NULL, before using it.

An attacker can therefore force a NULL pointer to be dereferenced in the deref overlay of OpenLDAP, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2013-4449

OpenLDAP: use after free via rwm overlay

Synthesis of the vulnerability

An attacker can perform a query followed by an unbind, to use a freed memory area in the rwm overlay feature of OpenLDAP, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Cisco CUCM, Debian, Fedora, OpenLDAP, RHEL, Ubuntu.
Severity: 2/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: user account.
Creation date: 04/02/2014.
Identifiers: 1019490, 7723, CSCun32529, CVE-2013-4449, DSA-3209-1, FEDORA-2014-2012, FEDORA-2014-2967, MDVSA-2014:026, RHSA-2014:0126-01, RHSA-2014:0206-01, USN-2622-1, VIGILANCE-VUL-14171.

Description of the vulnerability

The rwm (rewrite/remap) overlay of OpenLDAP provides a virtual view on data.

Functions of the libraries/librewrite/session.c file count the number of users of a rwm session. However, this counter is not updated during a query.

An attacker can therefore perform a query followed by an unbind, to use a freed memory area in the rwm overlay feature of OpenLDAP, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2012-2668

OpenLDAP: TLSCipherSuite ignored with NSS

Synthesis of the vulnerability

When OpenLDAP uses NSS to manage SSL sessions, the TLSCipherSuite configuration directive is ignored, so an attacker can attack a weak encryption algorithm.
Impacted products: Fedora, OpenLDAP, RHEL.
Severity: 1/4.
Consequences: user access/rights.
Provenance: intranet client.
Creation date: 06/06/2012.
Identifiers: 7285, 825875, BID-53823, CVE-2012-2668, FEDORA-2012-10000, FEDORA-2012-10023, RHSA-2012:1151-01, VIGILANCE-VUL-11680.

Description of the vulnerability

The OpenLDAP service can use SSL/TLS sessions, when it is compiled with a cryptographic library, such as NSS or GnuTLS.

The TLSCipherSuite configuration directive of OpenLDAP indicates the list of allowed encryption algorithms.

The tlsm_deferred_ctx_init() function of file libraries/libldap/tls_m.c calls tlsm_parse_ciphers() to manage the list of encryption algorithms negotiated for NSS. However, the error code of this function is processed as inverted. Default algorithms are thus allowed.

When OpenLDAP uses NSS to manage SSL sessions, the TLSCipherSuite configuration directive is therefore ignored, so an attacker can attack a weak encryption algorithm.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about OpenLDAP: