Red Hat Directory and Certificate Server Management Console buffer overflow
| redhat-directory-admin-bo (24311) |  High Risk |
Description:
Multiple vendors including the Red Hat Directory Server and Red Hat Certificate Server (formerly known as Netscape Directory and Certificate Server) are vulnerable to a stack-based buffer overflow in the help.cgi script in the HTTP administrative interface. By sending a specially-crafted HTTP request to the Admin pages of the Management Console, a remote attacker could overflow a buffer and cause the Admin server to crash. A local attacker could exploit this vulnerability to gain root privileges on Unix-based systems.
Note: This vulnerability also affects Sun Java System Directory Server, Sun ONE Directory Server and Sun ONE Administration Server.
*CVSS:
| Base Score: | 7 |
| Access Vector: | Remote |
| Access Complexity: | Low |
| Authentication: | Not Required |
| Confidentiality Impact: | Partial |
| Integrity Impact: | Partial |
| Availability Impact: | Partial |
| Temporal Score: | 5.2 |
| Exploitability: | Unproven |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Gain Access
Remedy:
For Red Hat Directory Server:
Upgrade to the latest version of Red Hat Directory Server (7.1 SP1 or later), available from the Red Hat Network. See References.
For Red Hat Certificate Server:
Upgrade to the latest version of Red Hat Certificate Server (7.1 SP1 or later), when it becomes available from the Red Hat Network. See References.
For Solaris:
Refer to Sun Alert: 228419 for patch, upgrade or suggested workaround information. See References.
References:
- BugTraq Mailing List, Sun Jan 22 2006 - 07:13:09 CST: High Risk Vulnerability in Red Hat Directory Server and Red Hat Certificate Server.
- Red Hat Web site: Red Hat Directory Server 7.1 SP1 Release Notes.
- Sun Alert: 228419: Security Vulnerability in the Sun ONE and Sun Java System Directory Server's and the Sun Java System Directory Proxy Server's HTTP Administrative Interface.
- BID-15013: Sun ONE Directory Server Unspecified Remote Arbitrary Command Execution Vulnerability
- BID-16345: Red Hat Directory Server / Certificate Server Management Console Buffer Overflow Vulnerability
- CVE-2005-3269: Stack-based buffer overflow in help.cgi in the HTTP administrative interface for (1) Sun Java System Directory Server 5.2 2003Q4, 2004Q2, and 2005Q1, (2) Red Hat Directory Server and (3) Certificate Server before 7.1 SP1, (4) Sun ONE Directory Server 5.1 SP4 and earlier, and (5) Sun ONE Administration Server 5.2 allows remote attackers to cause a denial of service (admin server crash), or local users to gain root privileges.
- SA17092: Sun Java System Directory Server HTTP Admin Interface Unspecified Vulnerability
- SA18590: Red Hat Directory Server / Certificate Server Buffer Overflow
- SECTRACK ID: 1015014: Sun Directory Server Unspecified Bug Lets Remote Users Compromise the System
- SECTRACK ID: 1015536: Red Hat Directory Server Buffer Overflow in Help System May Let Remote Users Execute Arbitrary Code
- SECTRACK ID: 1015537: Sun Directory Server Buffer Overflow in Help System May Let Remote Users Execute Arbitrary Code
- SECTRACK ID: 1015538: Red Hat Certificate Server Buffer Overflow in Help System May Let Remote Users Execute Arbitrary Code
- VUPEN/ADV-2005-1988: Sun Java System Directory Server Unspecified Remote Vulnerability
Platforms Affected:
- HP HP-UX 11i
- Netscape Certificate Server
- Netscape Directory Server
- RedHat Certificate Server 7.1
- RedHat Directory Server 7.1
- RedHat Enterprise Linux 3
- RedHat Enterprise Linux 4
- Sun Java System Directory Proxy Server 5.2
- Sun Java System Directory Server 5.2
- Sun ONE Administration Server 5.2
- Sun ONE Directory Server 5.1
- Sun Solaris 9
Reported:
Jan 22, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.