CVE-2017-14159 in OpenLDAP
Summary
by MITRE
slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill `cat /pathname`" command, as demonstrated by openldap-initscript.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/13/2019
The vulnerability identified as CVE-2017-14159 affects slapd, the OpenLDAP server daemon, in versions 2.4.45 and earlier. This issue represents a privilege escalation concern that stems from improper PID file handling during the service startup process. The flaw occurs when slapd creates its PID file while operating under reduced privileges, creating a window of opportunity for local attackers who possess access to the non-root account to manipulate this file before root scripts execute critical operations.
The technical mechanism behind this vulnerability involves the timing and sequence of privilege management during service initialization. When slapd drops privileges from root to a non-root user account, it continues to maintain control over the PID file creation process. This creates a race condition where an attacker with access to the non-root account can modify the PID file contents before a root script executes a command that reads the PID file and issues kill signals to processes. The specific attack vector demonstrates how the openldap-initscript component can be exploited by substituting the PID value in the file, potentially causing arbitrary processes to be terminated by the root-owned kill command.
This vulnerability falls under the category of privilege escalation and process manipulation, aligning with CWE-284 which addresses improper access control, and CWE-362 which covers concurrent execution issues. The operational impact extends beyond simple process termination, as it demonstrates a fundamental flaw in how privilege separation is managed during service startup. An attacker could potentially leverage this to disrupt critical system services or escalate privileges further by targeting other processes that might be running under different user contexts.
The attack scenario presents a particularly dangerous situation because it requires only local access to a non-root account, making it accessible to users who may have legitimate system access but should not possess the ability to affect system-wide operations. This weakness exposes the underlying assumption that once a service drops privileges, it no longer needs to maintain strict control over its own file system resources. The vulnerability also highlights the importance of proper privilege separation and file access controls, particularly in system initialization scripts that perform operations requiring root privileges.
Mitigation strategies should focus on preventing the race condition by ensuring that PID files are created with appropriate permissions before privilege dropping occurs, or by implementing proper atomic operations for PID file management. The recommended approach involves modifying the service startup sequence to create PID files with restricted permissions that prevent modification by non-root users, or implementing proper file locking mechanisms during PID file creation. Additionally, system administrators should review and update the openldap-initscript components to ensure they properly handle PID file operations without relying on potentially manipulable files. This vulnerability also emphasizes the need for comprehensive security testing of service initialization processes, particularly those involving privilege transitions, as outlined in the ATT&CK framework under privilege escalation techniques and the broader category of service management attacks.