[gentoo-announce] [ GLSA 200507-13 ] pam_ldap and nss_ldap: Plain text authentication leak - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200507-13 ] pam_ldap and nss_ldap: Plain text authentication leak
Date:	Thu, 14 Jul 2005 10:17:57
Message-Id:	`42D63914.90809@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200507-13

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: pam_ldap and nss_ldap: Plain text authentication leak

9

      Date: July 14, 2005

10

      Bugs: #96767

11

        ID: 200507-13

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

pam_ldap and nss_ldap fail to restart TLS when following a referral,

19

possibly leading to credentials being sent in plain text.

20

21

Background

22

==========

23

24

pam_ldap is a Pluggable Authentication Module which allows

25

authentication against an LDAP directory. nss_ldap is a Name Service

26

Switch module which allows 'passwd', 'group' and 'host' database

27

information to be pulled from LDAP. TLS is Transport Layer Security, a

28

protocol that allows encryption of network communications.

29

30

Affected packages

31

=================

32

33

    -------------------------------------------------------------------

34

     Package            /  Vulnerable  /                    Unaffected

35

    -------------------------------------------------------------------

36

  1  sys-auth/nss_ldap      < 239-r1                         >= 239-r1

37

                                                            *>= 226-r1

38

  2  sys-auth/pam_ldap      < 178-r1                         >= 178-r1

39

    -------------------------------------------------------------------

40

     2 affected packages on all of their supported architectures.

41

    -------------------------------------------------------------------

42

43

Description

44

===========

45

46

Rob Holland of the Gentoo Security Audit Team discovered that pam_ldap

47

and nss_ldap fail to use TLS for referred connections if they are

48

referred to a master after connecting to a slave, regardless of the

49

"ssl start_tls" ldap.conf setting.

50

51

Impact

52

======

53

54

An attacker could sniff passwords or other sensitive information as the

55

communication is not encrypted.

56

57

Workaround

58

==========

59

60

pam_ldap and nss_ldap can be set to force the use of SSL instead of

61

TLS.

62

63

Resolution

64

==========

65

66

All pam_ldap users should upgrade to the latest version:

67

68

    # emerge --sync

69

    # emerge --ask --oneshot --verbose ">=sys-auth/pam_ldap-178-r1"

70

71

All nss_ldap users should upgrade to the latest version:

72

73

    # emerge --sync

74

    # emerge --ask --oneshot --verbose sys-auth/nss_ldap

75

76

References

77

==========

78

79

  [ 1 ] CAN-2005-2069

80

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2069

81

82

Availability

83

============

84

85

This GLSA and any updates to it are available for viewing at

86

the Gentoo Security Website:

87

88

  http://security.gentoo.org/glsa/glsa-200507-13.xml

89

90

Concerns?

91

=========

92

93

Security is a primary focus of Gentoo Linux and ensuring the

94

confidentiality and security of our users machines is of utmost

95

importance to us. Any security concerns should be addressed to

96

security@g.o or alternatively, you may file a bug at

97

http://bugs.gentoo.org.

98

99

License

100

=======

101

102

Copyright 2005 Gentoo Foundation, Inc; referenced text

103

belongs to its owner(s).

104

105

The contents of this document are licensed under the

106

Creative Commons - Attribution / Share Alike license.

107

108

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200507-13
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: pam_ldap and nss_ldap: Plain text authentication leak
9	Date: July 14, 2005
10	Bugs: #96767
11	ID: 200507-13
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	pam_ldap and nss_ldap fail to restart TLS when following a referral,
19	possibly leading to credentials being sent in plain text.
20
21	Background
22	==========
23
24	pam_ldap is a Pluggable Authentication Module which allows
25	authentication against an LDAP directory. nss_ldap is a Name Service
26	Switch module which allows 'passwd', 'group' and 'host' database
27	information to be pulled from LDAP. TLS is Transport Layer Security, a
28	protocol that allows encryption of network communications.
29
30	Affected packages
31	=================
32
33	-------------------------------------------------------------------
34	Package / Vulnerable / Unaffected
35	-------------------------------------------------------------------
36	1 sys-auth/nss_ldap < 239-r1 >= 239-r1
37	*>= 226-r1
38	2 sys-auth/pam_ldap < 178-r1 >= 178-r1
39	-------------------------------------------------------------------
40	2 affected packages on all of their supported architectures.
41	-------------------------------------------------------------------
42
43	Description
44	===========
45
46	Rob Holland of the Gentoo Security Audit Team discovered that pam_ldap
47	and nss_ldap fail to use TLS for referred connections if they are
48	referred to a master after connecting to a slave, regardless of the
49	"ssl start_tls" ldap.conf setting.
50
51	Impact
52	======
53
54	An attacker could sniff passwords or other sensitive information as the
55	communication is not encrypted.
56
57	Workaround
58	==========
59
60	pam_ldap and nss_ldap can be set to force the use of SSL instead of
61	TLS.
62
63	Resolution
64	==========
65
66	All pam_ldap users should upgrade to the latest version:
67
68	# emerge --sync
69	# emerge --ask --oneshot --verbose ">=sys-auth/pam_ldap-178-r1"
70
71	All nss_ldap users should upgrade to the latest version:
72
73	# emerge --sync
74	# emerge --ask --oneshot --verbose sys-auth/nss_ldap
75
76	References
77	==========
78
79	[ 1 ] CAN-2005-2069
80	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2069
81
82	Availability
83	============
84
85	This GLSA and any updates to it are available for viewing at
86	the Gentoo Security Website:
87
88	http://security.gentoo.org/glsa/glsa-200507-13.xml
89
90	Concerns?
91	=========
92
93	Security is a primary focus of Gentoo Linux and ensuring the
94	confidentiality and security of our users machines is of utmost
95	importance to us. Any security concerns should be addressed to
96	security@g.o or alternatively, you may file a bug at
97	http://bugs.gentoo.org.
98
99	License
100	=======
101
102	Copyright 2005 Gentoo Foundation, Inc; referenced text
103	belongs to its owner(s).
104
105	The contents of this document are licensed under the
106	Creative Commons - Attribution / Share Alike license.
107
108	http://creativecommons.org/licenses/by-sa/2.0