LDAP TLS information disclosure

ldap-tls-information-disclosure (21245)

Medium Risk

Description:

The LDAP (Lightweight Directory Access Protocol) Server could disclose sensitive information caused by a vulnerability when restarting TLS. pam_ldap and nss_ldap fail to restart TLS when using referred connections which could send credentials in plaintext when pam_ldap and nss_ldap are attempting to rebind. A remote attacker could exploit this vulnerability to obtain sensitive information.

Platforms Affected:

• Canonical, Ubuntu 4.10
• Canonical, Ubuntu 5.04
• Debian, Debian Linux 3.1
• Gentoo, Linux
• IETF, LDAP
• MandrakeSoft, Mandrake Linux 10.0 AMD64
• MandrakeSoft, Mandrake Linux 10.0
• MandrakeSoft, Mandrake Linux 10.1
• MandrakeSoft, Mandrake Linux 10.1 X86_64
• MandrakeSoft, Mandrake Linux LE2005 X86_64
• MandrakeSoft, Mandrake Linux LE2005
• MandrakeSoft, Mandrake Linux Corporate Server 2.1
• MandrakeSoft, Mandrake Linux Corporate Server 2.1 X86_64
• MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
• MandrakeSoft, Mandrake Linux Corporate Server 3.0
• MandrakeSoft, Mandrake Multi Network Firewall 2.0
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Enterprise Linux 3 Desktop
• RedHat, Enterprise Linux 3 AS
• RedHat, Enterprise Linux 3 WS
• RedHat, Enterprise Linux 3 ES
• RedHat, Enterprise Linux 4 AS
• RedHat, Enterprise Linux 4 ES
• RedHat, Enterprise Linux 4 WS
• RedHat, Enterprise Linux 4 Desktop
• RedHat, Linux Advanced Workstation 2.1 Itanium
• Turbolinux, Turbolinux 10 Desktop
• Turbolinux, Turbolinux 10 F...
• Turbolinux, Turbolinux 10 Server
• Turbolinux, Turbolinux 7 Server
• Turbolinux, Turbolinux 7 Workstation
• Turbolinux, Turbolinux 8 Server
• Turbolinux, Turbolinux 8 Workstation
• Turbolinux, Turbolinux Home
• Turbolinux, Turbolinux Multimedia
• Turbolinux, Turbolinux Personal
• Turbolinux, Turbolinux Appliance Server 1.0 Hosting Ed
• Turbolinux, Turbolinux Appliance Server 1.0 Workgroup Ed

Remedy:

For Gentoo Linux:
Upgrade to the latest version of pam_ldap (178-r1 or later), as listed in Gentoo Linus Security Announcement GLSA 200507-13. See References.

For Red Hat Linux:
Refer to RHSA-2005:767-8 or RHSA-2005:751-23 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-152-1 for patch, upgrade or suggested workaround information. See References

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Obtain Information

References:

• BugTraq Mailing List, Mon Jul 04 2005 - 14:06:15 CDT, pam_ldap/nss_ldap password leak in a master+slave+start_tls LDAP setup at http://archives.neohapsis.com/archives/bugtraq/2005-07/0023.html.
• Full-disclosure Mailing List, Thu Jul 21 2005 - 09:12:21 CDT, PAM/NSS LDAP vulnerabilitiy at http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0500.html.
• Internet FAQ Archives Web site, RFC 1777 (rfc1777) - Lightweight Directory Access Protocol at http://www.faqs.org/rfcs/rfc1777.html.
• ASA-2006-157: openldap and nss_ldap security update
• BID-14125: OpenLDAP TLS Plaintext Password Vulnerability
• BID-14126: PADL Software PAM_LDAP TLS Plaintext Password Vulnerability
• CVE-2005-2069: pam_ldap and nss_ldap, when used with OpenLDAP and connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which may cause a password to be sent in cleartext and allows remote attackers to sniff the password.
• DSA-785: libpam-ldap -- authentication bypass
• GLSA-200507-13: pam_ldap and nss_ldap: Plain text authentication leak
• MDKSA-2005:121: Updated nss_ldap/pam_ldap packages fix vulnerabilities
• RHSA-2005-751: openldap and nss_ldap security update
• RHSA-2005-767: openldap and nss_ldap security update
• SA21520: Avaya Products Multiple Vulnerabilities
• SUSE-SR:2005:020: SUSE Security Summary Report

Reported:

Jul 04, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page