SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Security)  >  login_ldap Vendors:  Institute for Open Systems Technology Australia
login_ldap May Grant Access to Remote Users When No Password Is Supplied
SecurityTracker Alert ID:  1006138
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 21 2003
Impact:  Host/resource access via network, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 3.2 and prior versions (prior to login_ldap.c, v 1.16)
Description:  A vulnerability was reported in the 'login_ldap' authentication module for BSD (third party software for BSD). A remote user may be able to gain access to the system.

It is reported that login_ldap may grant access to remote users on systems that have enabled unauthenticated bind (via the 'allow bind_anon_cred' statement in the 'slapd.conf' file). According to the report, there are some LDAP applications that will generate an unauthenticated bind request when an authenticated access request was intended. If a remote user invokes one of these affected applications, login_ldap may grant the user access if no password is supplied. The specific impact depends on the affected application.

In OpenLDAP 2.0.x, the following operations lead to an anonymous bind by default:

It is reported that several LDAP operations in OpenLDAP 2.0.x may result in an anonymous bind, including the following:

- BIND with DN set but no password provided (bind_anon_dn)
- BIND with no DN but a password was provided (bind_anon_cred)
- BIND with no DN and no password (bind_anon)

In OpenLDAP 2.1.x, only the bind_anon is not disabled by default.

Sebastian Stark is credited with reporting this flaw.
Impact:  A remote user may be granted access when no password is supplied. The specific impact depends on the LDAP application that uses login_ldap.
Solution:  The vendor has released a fixed version (3.3), available at:

It is available here: http://www.ifost.org.au/~peterw/login_ldap-3.3.tar.gz

MD5 (login_ldap-3.3.tar.gz) = 52e905d54a136c3d850158f4f7548a3f

Also, any specific BIND method ('<feature>') can be disabled by using the following line in the slapd.conf file:

disallow <feature>
Vendor URL:  www.ifost.org.au/~peterw/advisory.txt (Links to External Site)
Cause:  Configuration error, State error
Underlying OS:  UNIX (BSD/OS), UNIX (OpenBSD)
Reported By:  Peter Werner <peterw@ifost.org.au>
Message History:   None.

 Source Message Contents
Date:  Fri, 21 Feb 2003 09:09:36 +1100
From:  Peter Werner <peterw@ifost.org.au>
Subject:  login_ldap security announcement

 

Sebastian Stark from Directory Applications for Advanced Security and 
Information Management (http://www.daasi.de) has found a serious issue 
with login_ldap, affecting all versions. login_ldap is a BSD 
Authentication module for authenticating users off an LDAP server, and 
runs on OpenBSD and BSD/OS. It is third party software, and is not 
part of OpenBSD or BSD/OS.

>From http://www.openldap.org/doc/admin/security.html

"An unauthenticated bind results in an anonymous authorization. 
Unauthenticated bind mechanism is disabled by default, but can 
be enabled by specifying "allow bind_anon_cred" in slapd.conf(5). 
As a number of LDAP applications mistakenly generate 
unauthenticated bind request when authenticated access was 
intended (that is, they do not ensure a password was provided), 
this mechanism should generally not be enabled."

In OpenLDAP 2.0.x, the following operations lead to an anonymous bind
by default:

 - BIND with DN set but no password provided (bind_anon_dn)
 - BIND with no DN but a password was provided (bind_anon_cred)
 - BIND with no DN and no password (bind_anon)

You can disable any of those BIND methods by putting 'disallow
<feature>' into your slapd.conf where <feature> stands for the
corresponding keyword given in parentheses above.

In OpenLDAP 2.1.x all but bind_anon are disabled by default. For an
authentication service this is probably what most people want.

login_ldap has been updated to check that a password has been provided.

It is available here: http://www.ifost.org.au/~peterw/login_ldap-3.3.tar.gz
MD5 (login_ldap-3.3.tar.gz) = 52e905d54a136c3d850158f4f7548a3f

The other main change is it no longer installed setuid root, please see the
README included for more information.

I would encourage other people writing LDAP applications to check their 
software for this issue. Many thanks to Sebastian for his help with this
issue, work on a suitable fix and this advisory.

Peter Werner
Feb 21, 2003
--
IFOST: http://www.ifost.org.au


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC