Lucene search

nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT_UNPATCHED-389-DS-BASE-RHEL6.NASL
HistoryMay 11, 2024 - 12:00 a.m.

RHEL 6 : 389-ds-base (Unpatched Vulnerability)

This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
rhel 6
unpatched vulnerability
password brute-force
crypt password hash
denial of service
cleartext storage
sensitive information
cpu consumption
access control bypass

8.1 High

AI Score



The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  • 389-ds-base: Password brute-force possible for locked account due to different return codes (CVE-2017-7551)

  • 389-ds-base: CRYPT password hash with asterisk allows any bind attempt to succeed (CVE-2021-3652)

  • 389-ds-base before versions, is vulnerable to a race condition in the way 389-ds-base handles persistent search, resulting in a crash if the server is under load. An anonymous attacker could use this flaw to trigger a denial of service. (CVE-2018-10850)

  • 389-ds-base before versions, is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords. (CVE-2018-10871)

  • A vulnerability was discovered in 389-ds-base through versions, and The lock controlling the error log was not correctly used when re-opening the log file in log__error_emergency().
    An attacker could send a flood of modifications to a very large DN, which would cause slapd to crash.

  • A flaw was found in 389-ds-base before version The process ns-slapd crashes in delete_passwdPolicy function when persistent search connections are terminated unexpectedly leading to remote denial of service. (CVE-2018-14638)

  • A flaw was found in 389 Directory Server. A specially crafted search query could lead to excessive CPU consumption in the do_search() function. An unauthenticated attacker could use this flaw to provoke a denial of service. (CVE-2018-14648)

  • A flaw was found in the ‘deref’ plugin of 389-ds-base where it could use the ‘search’ permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes. (CVE-2019-14824)

  • In 389-ds-base up to version, requests are handled by workers threads. Each sockets will be waited by the worker for at most ‘ioblocktimeout’ seconds. However this timeout applies only for un-encrypted requests. Connections using SSL/TLS are not taking this timeout into account during reads, and may hang longer.An unauthenticated attacker could repeatedly create hanging LDAP requests to hang all the workers, resulting in a Denial of Service. (CVE-2019-3883)

  • When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database. (CVE-2020-35518)

  • When using a sync_repl client in 389-ds-base, an authenticated attacker can cause a NULL pointer dereference using a specially crafted query, causing a crash. (CVE-2021-3514)

  • A vulnerability was discovered in the 389 Directory Server that allows an unauthenticated attacker with network access to the LDAP port to cause a denial of service. The denial of service is triggered by a single message sent over a TCP connection, no bind or other authentication is required. The message triggers a segmentation fault that results in slapd crashing. (CVE-2022-0918)

  • A vulnerability was found in the 389 Directory Server that allows expired passwords to access the database to cause improper authentication. (CVE-2022-0996)

  • An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data. (CVE-2022-1949)

  • A flaw was found In 389-ds-base. When the Content Synchronization plugin is enabled, an authenticated user can reach a NULL pointer dereference using a specially crafted query. This flaw allows an authenticated attacker to cause a denial of service. This CVE is assigned against an incomplete fix of CVE-2021-3514.

  • A heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in log_entry_attr. (CVE-2024-1062)

Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.

# (C) Tenable, Inc.
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory 389-ds-base. The text
# itself is copyright (C) Red Hat, Inc.


if (description)
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");


  script_name(english:"RHEL 6 : 389-ds-base (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 6 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - 389-ds-base: Password brute-force possible for locked account due to different return codes

  - 389-ds-base: CRYPT password hash with asterisk allows any bind attempt to succeed (CVE-2021-3652)

  - 389-ds-base before versions, is vulnerable to a race condition in the way 389-ds-base
    handles persistent search, resulting in a crash if the server is under load. An anonymous attacker could
    use this flaw to trigger a denial of service. (CVE-2018-10850)

  - 389-ds-base before versions, is vulnerable to a Cleartext Storage of Sensitive
    Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores
    passwords in plaintext format in their respective changelog files. An attacker with sufficiently high
    privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext
    passwords. (CVE-2018-10871)

  - A vulnerability was discovered in 389-ds-base through versions, and The lock
    controlling the error log was not correctly used when re-opening the log file in log__error_emergency().
    An attacker could send a flood of modifications to a very large DN, which would cause slapd to crash.

  - A flaw was found in 389-ds-base before version The process ns-slapd crashes in
    delete_passwdPolicy function when persistent search connections are terminated unexpectedly leading to
    remote denial of service. (CVE-2018-14638)

  - A flaw was found in 389 Directory Server. A specially crafted search query could lead to excessive CPU
    consumption in the do_search() function. An unauthenticated attacker could use this flaw to provoke a
    denial of service. (CVE-2018-14648)

  - A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to
    display attribute values. In some configurations, this could allow an authenticated attacker to view
    private attributes, such as password hashes. (CVE-2019-14824)

  - In 389-ds-base up to version, requests are handled by workers threads. Each sockets will be waited
    by the worker for at most 'ioblocktimeout' seconds. However this timeout applies only for un-encrypted
    requests. Connections using SSL/TLS are not taking this timeout into account during reads, and may hang
    longer.An unauthenticated attacker could repeatedly create hanging LDAP requests to hang all the workers,
    resulting in a Denial of Service. (CVE-2019-3883)

  - When binding against a DN during authentication, the reply from 389-ds-base will be different whether the
    DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in
    the LDAP database. (CVE-2020-35518)

  - When using a sync_repl client in 389-ds-base, an authenticated attacker can cause a NULL pointer
    dereference using a specially crafted query, causing a crash. (CVE-2021-3514)

  - A vulnerability was discovered in the 389 Directory Server that allows an unauthenticated attacker with
    network access to the LDAP port to cause a denial of service. The denial of service is triggered by a
    single message sent over a TCP connection, no bind or other authentication is required. The message
    triggers a segmentation fault that results in slapd crashing. (CVE-2022-0918)

  - A vulnerability was found in the 389 Directory Server that allows expired passwords to access the database
    to cause improper authentication. (CVE-2022-0996)

  - An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would
    yield incorrect results, but as that has progressed, can be determined that it actually is an access
    control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for
    database items they do not have access to, including but not limited to potentially userPassword hashes
    and other sensitive data. (CVE-2022-1949)

  - A flaw was found In 389-ds-base. When the Content Synchronization plugin is enabled, an authenticated user
    can reach a NULL pointer dereference using a specially crafted query. This flaw allows an authenticated
    attacker to cause a denial of service. This CVE is assigned against an incomplete fix of CVE-2021-3514.

  - A heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a
    value larger than 256 chars in log_entry_attr. (CVE-2024-1062)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3652");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2017-7551");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:389-ds-base");
  script_set_attribute(attribute:"generated_plugin", value:"current");

  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");



if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
    'pkgs': [
      {'reference':'389-ds-base', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'389-ds-base'}

var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;

if (flag)
  var extra = NULL;
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : unpatched_packages_report()
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, '389-ds-base');
