Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630034 (CVE-2017-14159) - net-nds/openldap: creates a PID file after dropping privileges to a non-root account
Summary: net-nds/openldap: creates a PID file after dropping privileges to a non-root ...
Status: CONFIRMED
Alias: CVE-2017-14159
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [upstream/cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-05 19:55 UTC by Aleksandr Wagner (Kivak)
Modified: 2017-09-11 22:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-09-05 19:55:06 UTC
CVE-2017-14159 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14159):

slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill `cat /pathname`" command, as demonstrated by openldap-initscript. 

References:

http://www.openldap.org/its/index.cgi?findid=8703
Comment 1 Michael Orlitzky gentoo-dev 2017-09-06 21:24:57 UTC
Upstream's position on this is that it's not a problem, because (quoting)

  Nobody compromises slapd from the network. There are no buffer overflow 
  vulnerabilities, there are no RCE vulnerabilities.

*shrug*

You'll have to try to work around it in the init script. You can get the user of the process whose PID you find in the file with

  ps -p <pid> -o user=

and you can get the name of the command with

  ps -p <pid> -o comm=

If you check those against the expected values every time you send a signal, it's a lot safer. The most an attacker can do in that case is prevent you from killing his hacked process via the init script.