LDAP Authentication leads to CVE 2007-2038

Actual behaviour

Hello everyone,

We have installed OC 10.2.1 upon Debian 9.11. Users are authenticated with an A.D. 2012
and we’ve been experiencing this problem for a couple of weeks :
the IPS of our checkpoint firewall detects the following vulnerability at each connexion
of OC server with the domain controller.

CVE-2007-3028 The LDAP service in Windows Active Directory in Microsoft Windows 2000 Server SP4
does not properly check “the number of convertible attributes”, which allows remote
attackers to cause a denial of service (service unavailability) via a crafted LDAP
request, related to “client sent LDAP request logic,” aka “Windows Active Directory
Denial of Service Vulnerability”.
NOTE: this is probably a different issue than CVE-2007-0040.

Does someone know something about this ?

Server configuration

**Operating system Debian 9.11

**Web server: Apache/2.4.25

**Database: mysql Ver 15.1 Distrib 10.1.41-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

**PHP version: PHP 7.0.33-0+deb9u3

**ownCloud version: 10.2.1

**Updated from an older ownCloud or fresh install: updated

**Where did you install ownCloud from:wget https://download.owncloud.org/community/owncloud-10.2.1.tar.bz2

**Signing status (ownCloud 9.0 and above): No errors have been found.

The content of config/config.php:

{
“system”: {
“instanceid”: “5278a9c589de9”,
“passwordsalt”: “REMOVED SENSITIVE VALUE”,
“datadirectory”: “/home/owncloud/www/owncloud/data”,
“dbtype”: “mysql”,
“version”: “10.2.1.4”,
“dbname”: “bd_owncloud”,
“dbhost”: “localhost”,
“dbtableprefix”: “oc_”,
“dbuser”: “REMOVED SENSITIVE VALUE”,
“dbpassword”: “REMOVED SENSITIVE VALUE”,
“default_language”: “fr”,
“installed”: true,
“forcessl”: true,
“loglevel”: 2,
“log_authfailip”: true,
“maintenance”: false,
“trusted_domains”: [
isicloud.inrs.fr”,
“193.203.109.63”
],
“ldapIgnoreNamingRules”: false,
“ldapUserCleanupInterval”: 15,
“secret”: “REMOVED SENSITIVE VALUE”,
“trashbin_retention_obligation”: “auto”,
“mail_smtpmode”: “php”,
“log_rotate_size”: 1048576
}
}

List of activated apps:

`Enabled:

  • activity: 2.5.0
  • comments: 0.3.0
  • configreport: 0.2.0
  • dav: 0.4.0
  • federatedfilesharing: 0.4.0
  • federation: 0.1.0
  • files: 1.5.2
  • files_external: 0.7.1
  • files_pdfviewer: 0.11.0
  • files_sharing: 0.11.0
  • files_texteditor: 2.3.0
  • files_trashbin: 0.9.1
  • files_versions: 1.3.0
  • files_videoplayer: 0.10.1
  • gallery: 16.1.1
  • impersonate: 0.5.0
  • market: 0.5.0
  • notifications: 0.5.0
  • provisioning_api: 0.5.0
  • systemtags: 0.3.0
  • templateeditor: 0.4.0
  • updatenotification: 0.2.1
  • user_ldap: 0.13.0
    Disabled:
  • encryption
  • external
  • firstrunwizard
  • user_external

**Are you using external storage, if yes which one: NO

**Are you using encryption: NO

**Are you using an external user-backend, if yes which one LDAP/ActiveDirectory

LDAP configuration (delete this part if not used)

±------------------------------±--------------------------------------------------------------------------------------------------+
| Configuration | s01 |
±------------------------------±--------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | CN=,OU=,DC=,DC= |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | DC=*,DC= |
| ldapBaseGroups | DC=*,DC= |
| ldapBaseUsers | DC=*,DC= |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | objectguid |
| ldapExpertUsernameAttr | |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=group))(|(cn=******))) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | group |
| ldapGroupMemberAssocAttr | member |
| ldapHost | ldap://XXX.XXX.XXX.XXX |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(|(objectclass=user))(|(memberof=CN=
,OU=
*,DC=*,DC=)))(|(samaccountname=%uid)(|(sAMAccountName=%uid)))) |
| ldapLoginFilterAttributes | sAMAccountName |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | 0 |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | displayname |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(|(objectclass=user))(|(memberof=CN=******,OU=***,DC=*,DC=))) |
| ldapUserFilterGroups | ********|
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | user |
| ldapUserName | samaccountname |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| useMemberOfToDetectMembership | 1 |
±------------------------------±---------------------------------------------------------------------------------------------------------------------------+

Client configuration

Browser:

Operating system:

Logs

Web server error log

Insert your webserver log here

ownCloud log (data/owncloud.log)

{"reqId":"FYpANvSu1Yt4KfxF9A2D","level":2,"time":"2019-10-15T09:17:47+00:00","remoteAddr":"193.203.1
08.17","user":"--","app":"OC\\Log\\Rotate","method":"GET","url":"\/cron.php","message":"Log file \"\
/home\/owncloud\/www\/owncloud\/data\/owncloud.log\" was over 1048576 bytes, moved to \"\/home\/ownc
loud\/www\/owncloud\/data\/owncloud.log.1\""}
{"reqId":"UubHFMjflizZlkdSQGAi","level":3,"time":"2019-10-15T09:20:11+00:00","remoteAddr":"193.203.1
08.17","user":"--","app":"OC\\Files\\Filesystem","method":"GET","url":"\/cron.php","message":"Backen
ds provided no user object for 75C6E339-10C3-4960-B2FE-05D47AEA94E8"}
{"reqId":"dgc3pMMeSEswHveE9eff","level":3,"time":"2019-10-15T09:24:17+00:00","remoteAddr":"185.24.18
5.25","user":"--","app":"OC\\Files\\Node\\Root","method":"GET","url":"\/index.php\/s\/ud91g2eT3KaeeL
7","message":"Backends provided no user object for F8679E05-951C-4DD8-B8D9-5CC8C5EA6067"}
{"reqId":"dgc3pMMeSEswHveE9eff","level":3,"time":"2019-10-15T09:24:17+00:00","remoteAddr":"185.24.18
5.25","user":"--","app":"index","method":"GET","url":"\/index.php\/s\/ud91g2eT3KaeeL7","message":"Ex
ception: {\"Exception\":\"OC\\\\User\\\\NoUserException\",\"Message\":\"Backends provided no user ob
ject for F8679E05-951C-4DD8-B8D9-5CC8C5EA6067\",\"Code\":0,\"Trace\":\"#0 \\\/home\\\/owncloud\\\/ww
w\\\/owncloud\\\/lib\\\/private\\\/Files\\\/Node\\\/LazyRoot.php(64): OC\\\\Files\\\\Node\\\\Root->g
etUserFolder('F8679E05-951C-4...')\\n#1 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/private\\\
/Files\\\/Node\\\/LazyRoot.php(281): OC\\\\Files\\\\Node\\\\LazyRoot->__call('getUserFolder', Array)
\\n#2 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/private\\\/Share20\\\/Share.php(168): OC\\\\
Files\\\\Node\\\\LazyRoot->getUserFolder('F8679E05-951C-4...')\\n#3 \\\/home\\\/owncloud\\\/www\\\/o
wncloud\\\/apps\\\/files_sharing\\\/lib\\\/Controllers\\\/ShareController.php(260): OC\\\\Share20\\\
\Share->getNode()\\n#4 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/apps\\\/files_sharing\\\/lib\\\/Co
ntrollers\\\/ShareController.php(291): OCA\\\\Files_Sharing\\\\Controllers\\\\ShareController->valid
ateShare(Object(OC\\\\Share20\\\\Share))\\n#5 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/priv
ate\\\/AppFramework\\\/Http\\\/Dispatcher.php(153): OCA\\\\Files_Sharing\\\\Controllers\\\\ShareCont
roller->showShare('ud91g2eT3KaeeL7', '')\\n#6 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/priv
ate\\\/AppFramework\\\/Http\\\/Dispatcher.php(85): OC\\\\AppFramework\\\\Http\\\\Dispatcher->execute
Controller(Object(OCA\\\\Files_Sharing\\\\Controllers\\\\ShareController), 'showShare')\\n#7 \\\/hom
e\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/App.php(100): OC\\\\AppFramewo
rk\\\\Http\\\\Dispatcher->dispatch(Object(OCA\\\\Files_Sharing\\\\Controllers\\\\ShareController), '
showShare')\\n#8 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/public\\\/AppFramework\\\/App.php
(132): OC\\\\AppFramework\\\\App::main('ShareController', 'showShare', Object(OC\\\\AppFramework\\\\
DependencyInjection\\\\DIContainer))\\n#9 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/core\\\/routes.
php(90): OCP\\\\AppFramework\\\\App->dispatch('ShareController', 'showShare')\\n#10 \\\/home\\\/ownc
loud\\\/www\\\/owncloud\\\/lib\\\/private\\\/Route\\\/Router.php(342): OC\\\\Route\\\\Router->{closu
re}(Array)\\n#11 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/base.php(911): OC\\\\Route\\\\Rou
ter->match('\\\/s\\\/ud91g2eT3Kae...')\\n#12 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/index.php(54
): OC::handleRequest()\\n#13 {main}\",\"File\":\"\\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/p
rivate\\\/Files\\\/Node\\\/Root.php\",\"Line\":351}"}
{"reqId":"yUyqE9fuAR3Q5RoKn90f","level":3,"time":"2019-10-15T09:35:31+00:00","remoteAddr":"185.24.18
5.25","user":"--","app":"OC\\Files\\Node\\Root","method":"GET","url":"\/index.php\/s\/ud91g2eT3KaeeL
7","message":"Backends provided no user object for F8679E05-951C-4DD8-B8D9-5CC8C5EA6067"}
{"reqId":"yUyqE9fuAR3Q5RoKn90f","level":3,"time":"2019-10-15T09:35:31+00:00","remoteAddr":"185.24.18
5.25","user":"--","app":"index","method":"GET","url":"\/index.php\/s\/ud91g2eT3KaeeL7","message":"Ex
ception: {\"Exception\":\"OC\\\\User\\\\NoUserException\",\"Message\":\"Backends provided no user ob
ject for F8679E05-951C-4DD8-B8D9-5CC8C5EA6067\",\"Code\":0,\"Trace\":\"#0 \\\/home\\\/owncloud\\\/ww
w\\\/owncloud\\\/lib\\\/private\\\/Files\\\/Node\\\/LazyRoot.php(64): OC\\\\Files\\\\Node\\\\Root->g
etUserFolder('F8679E05-951C-4...')\\n#1 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/private\\\
/Files\\\/Node\\\/LazyRoot.php(281): OC\\\\Files\\\\Node\\\\LazyRoot->__call('getUserFolder', Array)
\\n#2 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/private\\\/Share20\\\/Share.php(168): OC\\\\
Files\\\\Node\\\\LazyRoot->getUserFolder('F8679E05-951C-4...')\\n#3 \\\/home\\\/owncloud\\\/www\\\/o
wncloud\\\/apps\\\/files_sharing\\\/lib\\\/Controllers\\\/ShareController.php(260): OC\\\\Share20\\\
\Share->getNode()\\n#4 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/apps\\\/files_sharing\\\/lib\\\/Co
ntrollers\\\/ShareController.php(291): OCA\\\\Files_Sharing\\\\Controllers\\\\ShareController->valid
ateShare(Object(OC\\\\Share20\\\\Share))\\n#5 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/priv
ate\\\/AppFramework\\\/Http\\\/Dispatcher.php(153): OCA\\\\Files_Sharing\\\\Controllers\\\\ShareCont
roller->showShare('ud91g2eT3KaeeL7', '')\\n#6 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/priv
ate\\\/AppFramework\\\/Http\\\/Dispatcher.php(85): OC\\\\AppFramework\\\\Http\\\\Dispatcher->execute
Controller(Object(OCA\\\\Files_Sharing\\\\Controllers\\\\ShareController), 'showShare')\\n#7 \\\/hom
e\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/App.php(100): OC\\\\AppFramewo
rk\\\\Http\\\\Dispatcher->dispatch(Object(OCA\\\\Files_Sharing\\\\Controllers\\\\ShareController), '
showShare')\\n#8 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/public\\\/AppFramework\\\/App.php
(132): OC\\\\AppFramework\\\\App::main('ShareController', 'showShare', Object(OC\\\\AppFramework\\\\
DependencyInjection\\\\DIContainer))\\n#9 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/core\\\/routes.
php(90): OCP\\\\AppFramework\\\\App->dispatch('ShareController', 'showShare')\\n#10 \\\/home\\\/ownc
loud\\\/www\\\/owncloud\\\/lib\\\/private\\\/Route\\\/Router.php(342): OC\\\\Route\\\\Router->{closu
re}(Array)\\n#11 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/base.php(911): OC\\\\Route\\\\Rou
ter->match('\\\/s\\\/ud91g2eT3Kae...')\\n#12 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/index.php(54
): OC::handleRequest()\\n#13 {main}\",\"File\":\"\\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/p
rivate\\\/Files\\\/Node\\\/Root.php\",\"Line\":351}"}
{"reqId":"71c4b740-ce6c-4fca-8a74-a8fd7e497e37","level":2,"time":"2019-10-15T09:38:00+00:00","remote
Addr":"193.203.108.17","user":"alexandre.schmitt","app":"no app in context","method":"GET","url":"\/
remote.php\/dav\/avatars\/alexandre.schmitt\/128.png","message":""}
{"reqId":"EHzBnW3tE5sw7Dgn3mma","level":3,"time":"2019-10-15T09:38:10+00:00","remoteAddr":"193.176.6
6.82","user":"--","app":"OC\\Files\\Node\\Root","method":"GET","url":"\/index.php\/s\/ud91g2eT3KaeeL
7","message":"Backends provided no user object for F8679E05-951C-4DD8-B8D9-5CC8C5EA6067"}
{"reqId":"EHzBnW3tE5sw7Dgn3mma","level":3,"time":"2019-10-15T09:38:10+00:00","remoteAddr":"193.176.6
6.82","user":"--","app":"index","method":"GET","url":"\/index.php\/s\/ud91g2eT3KaeeL7","message":"Ex
ception: {\"Exception\":\"OC\\\\User\\\\NoUserException\",\"Message\":\"Backends provided no user ob
ject for F8679E05-951C-4DD8-B8D9-5CC8C5EA6067\",\"Code\":0,\"Trace\":\"#0 \\\/home\\\/owncloud\\\/ww
w\\\/owncloud\\\/lib\\\/private\\\/Files\\\/Node\\\/LazyRoot.php(64): OC\\\\Files\\\\Node\\\\Root->g
etUserFolder('F8679E05-951C-4...')\\n#1 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/private\\\
/Files\\\/Node\\\/LazyRoot.php(281): OC\\\\Files\\\\Node\\\\LazyRoot->__call('getUserFolder', Array)
\\n#2 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/private\\\/Share20\\\/Share.php(168): OC\\\\
Files\\\\Node\\\\LazyRoot->getUserFolder('F8679E05-951C-4...')\\n#3 \\\/home\\\/owncloud\\\/www\\\/o
wncloud\\\/apps\\\/files_sharing\\\/lib\\\/Controllers\\\/ShareController.php(260): OC\\\\Share20\\\
\Share->getNode()\\n#4 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/apps\\\/files_sharing\\\/lib\\\/Co
ntrollers\\\/ShareController.php(291): OCA\\\\Files_Sharing\\\\Controllers\\\\ShareController->valid
ateShare(Object(OC\\\\Share20\\\\Share))\\n#5 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/priv
ate\\\/AppFramework\\\/Http\\\/Dispatcher.php(153): OCA\\\\Files_Sharing\\\\Controllers\\\\ShareCont
roller->showShare('ud91g2eT3KaeeL7', '')\\n#6 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/priv
ate\\\/AppFramework\\\/Http\\\/Dispatcher.php(85): OC\\\\AppFramework\\\\Http\\\\Dispatcher->execute
Controller(Object(OCA\\\\Files_Sharing\\\\Controllers\\\\ShareController), 'showShare')\\n#7 \\\/hom
e\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/App.php(100): OC\\\\AppFramewo
rk\\\\Http\\\\Dispatcher->dispatch(Object(OCA\\\\Files_Sharing\\\\Controllers\\\\ShareController), '
showShare')\\n#8 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/public\\\/AppFramework\\\/App.php
(132): OC\\\\AppFramework\\\\App::main('ShareController', 'showShare', Object(OC\\\\AppFramework\\\\
DependencyInjection\\\\DIContainer))\\n#9 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/core\\\/routes.
php(90): OCP\\\\AppFramework\\\\App->dispatch('ShareController', 'showShare')\\n#10 \\\/home\\\/ownc
loud\\\/www\\\/owncloud\\\/lib\\\/private\\\/Route\\\/Router.php(342): OC\\\\Route\\\\Router->{closu
re}(Array)\\n#11 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/base.php(911): OC\\\\Route\\\\Rou
ter->match('\\\/s\\\/ud91g2eT3Kae...')\\n#12 \\\/home\\\/owncloud\\\/www\\\/owncloud\\\/index.php(54
): OC::handleRequest()\\n#13 {main}\",\"File\":\"\\\/home\\\/owncloud\\\/www\\\/owncloud\\\/lib\\\/p
rivate\\\/Files\\\/Node\\\/Root.php\",\"Line\":351}"}
{"reqId":"0aec2d7b-4d0d-4dbd-9ef2-897c45ff7e39","level":2,"time":"2019-10-15T09:44:38+00:00","remote
Addr":"193.203.108.17","user":"alexandre.schmitt","app":"no app in context","method":"GET","url":"\/
remote.php\/dav\/avatars\/alexandre.schmitt\/128.png","message":""}
{"reqId":"8iRnPh0yPCOG73eGApmr","level":2,"time":"2019-10-15T09:46:42+00:00","remoteAddr":"193.203.1
08.17","user":"--","app":"core","method":"POST","url":"\/index.php\/login","message":"Login failed:
'adminCloud' (Remote IP: '193.203.108.17')"}
{"reqId":"daff9b75-9fd2-4a8e-ab57-8cd2773d0730","level":2,"time":"2019-10-15T09:50:40+00:00","remote
Addr":"193.203.108.17","user":"alexandre.schmitt","app":"no app in context","method":"GET","url":"\/
remote.php\/dav\/avatars\/alexandre.schmitt\/128.png","message":""}

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log 
c) ...

Hey,

this sounds to me like a false positive in the signature of the used firewall product falsely flagging a LDAP command used during the normal operation of ownCloud as an attack trying to exploit this CVE.

I think you should contact the vendor of this firewall product and reporting this false positive.

Hello tom42,

Thanks for your answering, that’s what we shall do.

Best regards,
JM

1 Like