627038 – (CVE-2017-7551) <net-nds/389-ds-base-{1.3.5.19,1.3.6.8}: Password brute-force possible for locked account due to different return codes (CVE-2017-7551)

Bug 627038 (CVE-2017-7551) - <net-nds/389-ds-base-{1.3.5.19,1.3.6.8}: Password brute-force possible for locked account due to different return codes (CVE-2017-7551)

Summary: <net-nds/389-ds-base-{1.3.5.19,1.3.6.8}: Password brute-force possible for lo...

Status:	RESOLVED FIXED

Alias:	CVE-2017-7551

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Low trivial (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	~4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-08-04 08:06 UTC by Aleksandr Wagner (Kivak)
Modified:	2017-11-10 00:15 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aleksandr Wagner (Kivak) 2017-08-04 08:06:26 UTC

From $URL:

The directory server password lockout policy prevents binds from operating once a threshold of failed passwords has been met. If attacker during this lockout binds with the correct password, a different error code is returned. This means that attacker has no ratelimit or penalty during the account lock, and can continue to attempt passwords via bruteforce.

Upstream bug:

https://pagure.io/389-ds-base/issue/49336

Comment 1 Wes 2017-08-08 06:40:17 UTC

Spoke to wibrown@, patches landing shortly

Comment 2 Aleksandr Wagner (Kivak) 2017-10-31 18:10:56 UTC

@ Maintainer(s): Patches have been committed and released in 1.3.6.7 and 1.3.5.19. Please update the ebuilds in the tree to a version with a fix. 

References:

http://www.port389.org/docs/389ds/releases/release-1-3-6-7.html
http://www.port389.org/docs/389ds/releases/release-1-3-5-19.html

Comment 3 Wes 2017-11-02 05:47:26 UTC

On it, will be submitting ebuilds shortly thanks

Comment 4 Larry the Git Cow gentoo-dev

2017-11-09 23:50:49 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=792d4ea1a3db535bc7ae440f72c993c8c6f32d32

commit 792d4ea1a3db535bc7ae440f72c993c8c6f32d32
Author:     Wes Cilldhaire <wes@sol1.com.au>
AuthorDate: 2017-11-09 23:16:49 +0000
Commit:     Jonas Stein <jstein@gentoo.org>
CommitDate: 2017-11-09 23:44:23 +0000

    net-nds/389-ds-base: Bump to 1.3.5.19 and 1.3.6.8
    
    Bump to 1.3.5.19 and 1.3.6.8 to fix CVE-2017-7551
    Bug: https://bugs.gentoo.org/627038
    
    Acked-by: wibrown@redhat.com
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 net-nds/389-ds-base/389-ds-base-1.3.5.19.ebuild | 124 ++++++++++++++++++++++++
 net-nds/389-ds-base/389-ds-base-1.3.6.8.ebuild  | 124 ++++++++++++++++++++++++
 net-nds/389-ds-base/Manifest                    |   2 +
 3 files changed, 250 insertions(+)}

Comment 5 Larry the Git Cow gentoo-dev

2017-11-10 00:09:04 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=689125d6095b1737bb788463cdc7600a5861e27c

commit 689125d6095b1737bb788463cdc7600a5861e27c
Author:     Jonas Stein <jstein@gentoo.org>
AuthorDate: 2017-11-10 00:08:43 +0000
Commit:     Jonas Stein <jstein@gentoo.org>
CommitDate: 2017-11-10 00:08:43 +0000

    net-nds/389-ds-base: Remove vulnerable versions
    
    Removal due to CVE-2017-7551 after version bump.
    Bug: https://bugs.gentoo.org/627038
    
    Acked-by: wibrown@redhat.com
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 net-nds/389-ds-base/389-ds-base-1.3.4.14.ebuild | 138 ------------------------
 net-nds/389-ds-base/389-ds-base-1.3.5.17.ebuild | 124 ---------------------
 net-nds/389-ds-base/Manifest                    |   2 -
 3 files changed, 264 deletions(-)}

Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-11-10 00:13:53 UTC

Awesome job. Thank you all.

GLSA Vote: No.