SB2021020601 - Multiple vulnerabilities in OpenLDAP

Description

This security bulletin contains information about 10 secuirty vulnerabilities.

1) Integer underflow (CVE-ID: CVE-2020-36221)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer underflow within the serialNumberAndIssuerCheck() function in schema_init.c. A remote attacker can send a specially crafted request to the affected application, trigger an integer underflow and crash the slapd.

2) Release of invalid pointer or reference (CVE-ID: CVE-2020-36224)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to release of an invalid pointer when processing saslAuthzTo requests. A remote attacker can send a specially crafted request to slapd and perform a denial of service (DoS) attack.

3) Reachable Assertion (CVE-ID: CVE-2020-36230)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion when parsing the X.509 DN within the ber_next_element() function in decode.c. A remote attacker can send a specially crafted request to slapd and perform a denial of service (DoS) attack.

4) Type Confusion (CVE-ID: CVE-2020-36229)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a type confusion error in ldap_X509dn2bv when parsing X.509 DN in ad_keystring. A remote attacker can send a specially crafted request to slapd and crash it.

5) Integer underflow (CVE-ID: CVE-2020-36228)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer underflow when processing the certificate list exact assertion. A remote attacker can send a specially crafted request to the slapd, trigger integer underflow and perform a denial of service (DoS) attack.

6) Infinite loop (CVE-ID: CVE-2020-36227)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in slapd with the cancel_extop Cancel operation. A remote attacker can send a specially crafted request and perform a denial of service conditions.

7) Resource management error (CVE-ID: CVE-2020-36226)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application leading to a memch->bv_len miscalculation during saslAuthzTo processing. A remote attacker can send specially crafted request to the slapd and perform a denial of service (DoS) attack.

8) Double Free (CVE-ID: CVE-2020-36225)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in the saslAuthzTo processing. A remote attacker can send a specially crafted request to the slapd, trigger a double free error and perform a denial of service (DoS) attack

9) Double Free (CVE-ID: CVE-2020-36223)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error during the Values Return Filter control handling. A remote attacker can send a specially crafted request to the slapd, trigger a double free error and perform a denial of service (DoS) attack.

10) Reachable Assertion (CVE-ID: CVE-2020-36222)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion in slapd in the saslAuthzTo validation. A remote attacker can send a specially crafted request and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://bugs.openldap.org/show_bug.cgi?id=9404
• https://bugs.openldap.org/show_bug.cgi?id=9424
• https://git.openldap.org/openldap/openldap/-/commit/38ac838e4150c626bbfa0082b7e2cf3a2bb4df31
• https://git.openldap.org/openldap/openldap/-/commit/58c1748e81c843c5b6e61648d2a4d1d82b47e842
• https://git.openldap.org/openldap/openldap/-/tags/OPENLDAP_REL_ENG_2_4_57
• https://lists.debian.org/debian-lts-announce/2021/02/msg00005.html
• https://www.debian.org/security/2021/dsa-4845
• https://bugs.openldap.org/show_bug.cgi?id=9409
• https://git.openldap.org/openldap/openldap/-/commit/554dff1927176579d652f2fe60c90e9abbad4c65
• https://git.openldap.org/openldap/openldap/-/commit/5a2017d4e61a6ddc4dcb4415028e0d08eb6bca26
• https://git.openldap.org/openldap/openldap/-/commit/c0b61a9486508e5202aa2e0cfb68c9813731b439
• https://git.openldap.org/openldap/openldap/-/commit/d169e7958a3e0dc70f59c8374bf8a59833b7bdd8
• https://bugs.openldap.org/show_bug.cgi?id=9423
• https://git.openldap.org/openldap/openldap/-/commit/8c1d96ee36ed98b32cd0e28b7069c7b8ea09d793
• https://bugs.openldap.org/show_bug.cgi?id=9425
• https://git.openldap.org/openldap/openldap/-/commit/4bdfffd2889c0c5cdf58bebafbdc8fce4bb2bff0
• https://bugs.openldap.org/show_bug.cgi?id=9427
• https://git.openldap.org/openldap/openldap/-/commit/91dccd25c347733b365adc74cb07d074512ed5ad
• https://bugs.openldap.org/show_bug.cgi?id=9428
• https://git.openldap.org/openldap/openldap/-/commit/9d0e8485f3113505743baabf1167e01e4558ccf5
• https://bugs.openldap.org/show_bug.cgi?id=9413
• https://bugs.openldap.org/show_bug.cgi?id=9412
• https://bugs.openldap.org/show_bug.cgi?id=9408
• https://git.openldap.org/openldap/openldap/-/commit/21981053a1195ae1555e23df4d9ac68d34ede9dd
• https://bugs.openldap.org/show_bug.cgi?id=9406
• https://bugs.openldap.org/show_bug.cgi?id=9407
• https://git.openldap.org/openldap/openldap/-/commit/02dfc32d658fadc25e4040f78e36592f6e1e1ca0
• https://git.openldap.org/openldap/openldap/-/commit/6ed057b5b728b50746c869bcc9c1f85d0bbbf6ed
• https://git.openldap.org/openldap/openldap/-/commit/6ed057b5b728b50746c869bcc9c1f85d0bbbf6ed.aa