Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

SVG:Advisory-SVG-2015-CVE-2015-6908

From EGIWiki
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2015-CVE-2015-6908



** White information - Unlimited distribution allowed                       **  

** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **

Title:       EGI SVG Advisory 'Moderate' risk - Openldap remote DoS vulnerability - CVE-2015-6908

Date:        2015-10-06
Updated:     2016-07-27

URL:         https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2015-CVE-2015-6908

Introduction
============

**Originally**

A vulnerability exists in OpenLDAP which allows unauthenticated remote DoS, 
and an exploit is publicly available. 

BDII, which is used to find information on deployed services in the Grid, 
is dependent on OpenLDAP.

However, the latest version of OpenLDAP does not work reliably with BDII.

**UPDATE** The version of OpenLDAP available with RedHat 6.8 should work with 
BDII and solve the vulnerability issue.  This is now available in Scientific 
Linux 6.8 and CentOS too. 

Details
=======

Previously:--

For more information see [R 1] and [R 2]

The public exploit has been sucessfully tested by the reporter of this issue, 
and the EGI  Grid infrastructure may be seen as vulnerable to a trivial remote 
DoS attack. It is fairly easy to attack a site and bring down services.

However, it's easy to detect that the service has crashed and restart it, and given 
suitable logs it should be easy to see where the attacks are coming from and block 
them using a firewall. 

The latest version of OpenLDAP in some cases crashes under high load, and doesn't work 
reliably with BDII. Hence upgrading may impact service without the service being attacked, 
so upgrade is not recommended at present as described in [R 3] 

**UPDATE**:-

The version of OpenLDAP available with RedHat 6.8 should work with BDII and solve the 
vulnerability issue.  This is now available in Scientific Linux 6.8 and CentOS too.  


Risk category
=============

This issue has been assessed as 'Moderate'  risk by the EGI SVG Risk Assessment Team.


Affected software
=================

This is fully resolved in version openldap-2.4.40-12.el6 for RedHat6 and derivatives, 
both in terms of not being vulnerable, and working efficiently with BDII.


Mitigation
==========

Sites should check their logs if services related to OpenLDAP, BDII apear to crash for no reason. 

Component installation information
==================================

Updated:--

openldap version fixing the vulnerability in SL6 AND which works reliably with BDII is openldap-2.4.40-12.el6   

This is available in RedHat 6.8 and its derivatives. 

Note that the bdii service needs to be restarted after updating openldap


Recommendations
===============

Previously:--

At this time there is no openldap version that has the fix _and_ works reliably for the BDII. 

Sites are recommended to keep using the last stable version for resource, site and top BDII services.

If sites find that BDII is crashing, and they have not upgraded OpenLDAP they should investigate 
their logs to see if there is a possible incident.

UPDATE:--

This is fully resolved if sites upgrade to RedHat 6.8 or derivatives, so sites should update to a 
suitable version when it is convenient if they have not done so already. 



Other Information
==================

This issue is DoS, and DoS are normally rated as 'Low' risk.

However, given that a publicly available exploit is available which does not require authentication 
in this case we have assessed it as 'Moderate' risk, due to the potential impact on the availability 
of the infrastructure.   


Previous statement:--

This is also being distributed as 'Amber', when normally a Moderate risk vulnerability would be 
distributed as 'White', to avoid drawing attention to the fact that this issue exists in EGI andis not resolved. 

**UPDATE**

The issue is now resolved in the version of OpenLDAP with RedHat Version 6.8 which is also available in 
Scientific Linux 6.8 and CentOS
 

Credit
======

EGI SVG was alerted to this vulnerability by Jan Astalos  


References
==========


[R 1] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8240

[R 2] NVD info https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6908

[R 3] RedHat bug https://bugzilla.redhat.com/show_bug.cgi?id=1257543 

[R 4] https://rhn.redhat.com/errata/RHBA-2016-0943.html


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

We are currently revising the vulnerability issue handling procedure so suggestions and comments 

are welcome. 



Timeline  
========
Yyyy-mm-dd

2015-09-30 SVG alerted to this issue by Jan Astalos 
2015-09-30 Acknowledgement from the EGI SVG to the reporter
2015-09-30 Discussion on potential impact, and risk
2015-09-30 Decision to simply send an advisory, to inform sites of the situation with OpenLDAP  
2015-10-01 Further discussions on contents of the advisory
2015-10-06 Advisory sent to sites
2016-07-25 New version of OpenLDAP is now available in Scientific Linux 6.8 which fully resolves this issue. 
2016-07-27 Advisory updated
2016-08-15 Public disclosure
Retrieved from "https://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2015-CVE-2015-6908&oldid=89193"