slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned.

The remote host is running a version of macOS / Mac OS X that is 10.13.x prior to 10.13.6 Security Update 2019-007, 10.14.x prior to 10.14.6 Security Update 2019-002, or 10.15.x prior to 10.15.2. It is, therefore, affected by multiple vulnerabilities :

  - slapd in OpenLDAP before 2.4.30 allows remote attackers     to cause a denial of service (assertion failure and     daemon exit) via an LDAP search query with attrsOnly set     to true, which causes empty attributes to be returned.
    (CVE-2012-1164)

  - libraries/libldap/tls_m.c in OpenLDAP, possibly 2.4.31     and earlier, when using the Mozilla NSS backend, always     uses the default cipher suite even when TLSCipherSuite     is set, which might cause OpenLDAP to use weaker ciphers     than intended and make it easier for remote attackers to     obtain sensitive information. (CVE-2012-2668)

  - The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier     does not properly count references, which allows remote     attackers to cause a denial of service (slapd crash) by     unbinding immediately after a search request, which     triggers rwm_conn_destroy to free the session context     while it is being used by rwm_op_search. (CVE-2013-4449)

  - The deref_parseCtrl function in     servers/slapd/overlays/deref.c in OpenLDAP 2.4.13     through 2.4.40 allows remote attackers to cause a denial     of service (NULL pointer dereference and crash) via an     empty attribute list in a deref control in a search     request. (CVE-2015-1545)

  - tcpdump before 4.9.3 has a heap-based buffer over-read     related to aoe_print in print-aoe.c and lookup_emem in     addrtoname.c. (CVE-2017-16808)

  - tcpdump before 4.9.3 mishandles the printing of SMB data     (issue 1 of 2). (CVE-2018-10103)

  - tcpdump before 4.9.3 mishandles the printing of SMB data     (issue 2 of 2). (CVE-2018-10105)

  - The LDP parser in tcpdump before 4.9.3 has a buffer     over-read in print-ldp.c:ldp_tlv_print().
    (CVE-2018-14461)

  - The ICMP parser in tcpdump before 4.9.3 has a buffer     over-read in print-icmp.c:icmp_print(). (CVE-2018-14462)

  - The VRRP parser in tcpdump before 4.9.3 has a buffer     over-read in print-vrrp.c:vrrp_print(). (CVE-2018-14463)

  - The LMP parser in tcpdump before 4.9.3 has a buffer     over-read in print-lmp.c:lmp_print_data_link_subobjs().
    (CVE-2018-14464)

  - The RSVP parser in tcpdump before 4.9.3 has a buffer     over-read in print-rsvp.c:rsvp_obj_print().
    (CVE-2018-14465)

  - The Rx parser in tcpdump before 4.9.3 has a buffer over-     read in print-rx.c:rx_cache_find() and     rx_cache_insert(). (CVE-2018-14466)

  - The BGP parser in tcpdump before 4.9.3 has a buffer     over-read in print-bgp.c:bgp_capabilities_print()     (BGP_CAPCODE_MP). (CVE-2018-14467)

  - The FRF.16 parser in tcpdump before 4.9.3 has a buffer     over-read in print-fr.c:mfr_print(). (CVE-2018-14468)

  - The IKEv1 parser in tcpdump before 4.9.3 has a buffer     over-read in print-isakmp.c:ikev1_n_print().
    (CVE-2018-14469)

  - The Babel parser in tcpdump before 4.9.3 has a buffer     over-read in print-babel.c:babel_print_v2().
    (CVE-2018-14470)

  - The command-line argument parser in tcpdump before 4.9.3     has a buffer overflow in tcpdump.c:get_next_file().
    (CVE-2018-14879)

  - The OSPFv3 parser in tcpdump before 4.9.3 has a buffer     over-read in print-ospf6.c:ospf6_print_lshdr().
    (CVE-2018-14880)

  - The BGP parser in tcpdump before 4.9.3 has a buffer     over-read in print-bgp.c:bgp_capabilities_print()     (BGP_CAPCODE_RESTART). (CVE-2018-14881)

  - The ICMPv6 parser in tcpdump before 4.9.3 has a buffer     over-read in print-icmp6.c. (CVE-2018-14882)

  - The IEEE 802.11 parser in tcpdump before 4.9.3 has a     buffer over-read in print-802_11.c for the Mesh Flags     subfield. (CVE-2018-16227)

  - The HNCP parser in tcpdump before 4.9.3 has a buffer     over-read in print-hncp.c:print_prefix().
    (CVE-2018-16228)

  - The DCCP parser in tcpdump before 4.9.3 has a buffer     over-read in print-dccp.c:dccp_print_option().
    (CVE-2018-16229)

  - The BGP parser in tcpdump before 4.9.3 has a buffer     over-read in print-bgp.c:bgp_attr_print()     (MP_REACH_NLRI). (CVE-2018-16230)

  - The BGP parser in tcpdump before 4.9.3 allows stack     consumption in print-bgp.c:bgp_attr_print() because of     unlimited recursion. (CVE-2018-16300)

  - libpcap before 1.9.1, as used in tcpdump before 4.9.3,     has a buffer overflow and/or over-read because of errors     in pcapng reading. (CVE-2018-16301)

  - The SMB parser in tcpdump before 4.9.3 has buffer over-     reads in print-smb.c:print_trans() for \MAILSLOT\BROWSE     and \PIPE\LANMAN. (CVE-2018-16451)

  - The SMB parser in tcpdump before 4.9.3 has stack     exhaustion in smbutil.c:smb_fdata() via recursion.
    (CVE-2018-16452)

  - An issue was discovered in the server in OpenLDAP before     2.4.48. When the server administrator delegates rootDN     (database admin) privileges for certain databases but     wants to maintain isolation (e.g., for multi-tenant     deployments), slapd does not properly stop a rootDN from     requesting authorization as an identity from another     database during a SASL bind or with a proxyAuthz (RFC     4370) control. (It is not a common configuration to     deploy a system where the server administrator and a DB     administrator enjoy different levels of trust.)     (CVE-2019-13057)

  - An issue was discovered in OpenLDAP 2.x before 2.4.48.
    When using SASL authentication and session encryption,     and relying on the SASL security layers in slapd access     controls, it is possible to obtain access that would     otherwise be denied via a simple bind for any identity     covered in those ACLs. After the first SASL bind is     completed, the sasl_ssf value is retained for all new     non-SASL connections. Depending on the ACL     configuration, this can affect different types of     operations (searches, modifications, etc.). In other     words, a successful authorization step completed by one     user affects the authorization requirement for a     different user. (CVE-2019-13565)

  - rpcapd/daemon.c in libpcap before 1.9.1 mishandles     certain length values because of reuse of a variable.
    This may open up an attack vector involving extra data     at the end of a request. (CVE-2019-15161)

  - rpcapd/daemon.c in libpcap before 1.9.1 on non-Windows     platforms provides details about why authentication     failed, which might make it easier for attackers to     enumerate valid usernames. (CVE-2019-15162)

  - rpcapd/daemon.c in libpcap before 1.9.1 allows attackers     to cause a denial of service (NULL pointer dereference     and daemon crash) if a crypt() call fails.
    (CVE-2019-15163)

  - rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF     because a URL may be provided as a capture source.
    (CVE-2019-15164)

  - sf-pcapng.c in libpcap before 1.9.1 does not properly     validate the PHB header length before allocating memory.
    (CVE-2019-15165)

  - lmp_print_data_link_subobjs() in print-lmp.c in tcpdump     before 4.9.3 lacks certain bounds checks.
    (CVE-2019-15166)

  - In libexpat before 2.2.8, crafted XML input could fool     the parser into changing from DTD parsing to document     parsing too early; a consecutive call to     XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber)     then resulted in a heap-based buffer over-read.
    (CVE-2019-15903)

Note that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported version number.

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2622-1 advisory.

    It was discovered that OpenLDAP incorrectly handled certain search queries that returned empty attributes.
    A remote attacker could use this issue to cause OpenLDAP to assert, resulting in a denial of service. This     issue only affected Ubuntu 12.04 LTS. (CVE-2012-1164)

    Michael Vishchers discovered that OpenLDAP improperly counted references when the rwm overlay was used. A     remote attacker could use this issue to cause OpenLDAP to crash, resulting in a denial of service.
    (CVE-2013-4449)

    It was discovered that OpenLDAP incorrectly handled certain empty attribute lists in search requests. A     remote attacker could use this issue to cause OpenLDAP to crash, resulting in a denial of service.
    (CVE-2015-1545)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201406-36 (OpenLDAP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in OpenLDAP. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker might employ a specially crafted certificate to       conduct man-in-the-middle attacks on SSL connections made using OpenLDAP,       bypass security restrictions or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

A denial of service flaw was found in the way the OpenLDAP server daemon (slapd) processed certain search queries requesting only attributes and no values. In certain configurations, a remote attacker could issue a specially crafted LDAP search query that, when processed by slapd, would cause slapd to crash due to an assertion failure.
(CVE-2012-1164)

The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2012-0899 advisory.

    - security fix: CVE-2012-1164: assertion failure by processing search queries       requesting only attributes for particular entry (#813162)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

A vulnerability was found and corrected in openldap :

slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned (CVE-2012-1164).

The updated packages have been patched to correct this issue.

OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools.

A denial of service flaw was found in the way the OpenLDAP server daemon (slapd) processed certain search queries requesting only attributes and no values. In certain configurations, a remote attacker could issue a specially crafted LDAP search query that, when processed by slapd, would cause slapd to crash due to an assertion failure.
(CVE-2012-1164)

These updated openldap packages include numerous bug fixes.

Users of OpenLDAP are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenLDAP daemons will be restarted automatically.

security and bug fix update

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated openldap packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools.

A denial of service flaw was found in the way the OpenLDAP server daemon (slapd) processed certain search queries requesting only attributes and no values. In certain configurations, a remote attacker could issue a specially crafted LDAP search query that, when processed by slapd, would cause slapd to crash due to an assertion failure.
(CVE-2012-1164)

These updated openldap packages include numerous bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.3 Technical Notes for information on the most significant of these changes.

Users of OpenLDAP are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the OpenLDAP daemons will be restarted automatically.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2012:0899 advisory.

    OpenLDAP is an open source suite of LDAP (Lightweight Directory Access     Protocol) applications and development tools.

    A denial of service flaw was found in the way the OpenLDAP server daemon     (slapd) processed certain search queries requesting only attributes and no     values. In certain configurations, a remote attacker could issue a     specially-crafted LDAP search query that, when processed by slapd, would     cause slapd to crash due to an assertion failure. (CVE-2012-1164)

    These updated openldap packages include numerous bug fixes. Space precludes     documenting all of these changes in this advisory. Users are directed to     the Red Hat Enterprise Linux 6.3 Technical Notes for information on the     most significant of these changes.

    Users of OpenLDAP are advised to upgrade to these updated packages, which     contain backported patches to correct these issues. After installing this     update, the OpenLDAP daemons will be restarted automatically.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
131957	macOS 10.15.x < 10.15.2 / 10.14.x < 10.14.6 Security Update 2019-002 / 10.13.x < 10.13.6 Security Update 2019-007	Nessus	MacOS X Local Security Checks	critical
83863	Ubuntu 14.04 LTS : OpenLDAP vulnerabilities (USN-2622-1)	Nessus	Ubuntu Local Security Checks	critical
76331	GLSA-201406-36 : OpenLDAP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
69591	Amazon Linux AMI : openldap (ALAS-2012-101)	Nessus	Amazon Linux Local Security Checks	low
68559	Oracle Linux 6 : openldap (ELSA-2012-0899)	Nessus	Oracle Linux Local Security Checks	high
61979	Mandriva Linux Security Advisory : openldap (MDVSA-2012:130)	Nessus	Mandriva Local Security Checks	low
61344	Scientific Linux Security Update : openldap on SL6.x i386/x86_64 (20120620)	Nessus	Scientific Linux Local Security Checks	low
60007	Fedora 16 : openldap-2.4.26-8.fc16 (2012-10023)	Nessus	Fedora Local Security Checks	medium
59930	CentOS 6 : openldap (CESA-2012:0899)	Nessus	CentOS Local Security Checks	low
59595	RHEL 6 : openldap (RHSA-2012:0899)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2012-1164

high

Tenable Plugins

critical

critical

medium

low

high

low

low

medium

low

high