Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Ben Lutgens <blutgens@×××××××.com>
To: gentoo-dev@g.o
Subject: [gentoo-dev] Sec Advisory for the old openldap packages in portage.
Date: Tue, 17 Jul 2001 09:20:54
Message-Id: 20010717102019.A16777@minime.sistina.com
1 Please see the attached advisory.
2
3 Since we have openldap-2.0.11 in portage I recommend that we remove the
4 older one based upon answers to the following questions.
5
6 1.) does the openldap-2.0.11 packacke compile and work o.k.?
7 2.) Is there a valid reason for leaving the older ebuilds in the tree?
8 3.) Does anyone care?
9
10 I'll wait for this thread to progress before removing / modifying the
11 net-nds/openldap/ directory in portage.
12
13
14
15
16
17 -----BEGIN PGP SIGNED MESSAGE-----
18
19 CERT Advisory CA-2001-18 Multiple Vulnerabilities in Several
20 Implementations of the Lightweight Directory Access Protocol (LDAP)
21
22 Original release date: July 16, 2001
23 Last revised: --
24 Source: CERT/CC
25
26 A complete revision history can be found at the end of this file.
27
28 Systems Affected
29
30 * iPlanet Directory Server, version 5.0 Beta and versions up to and
31 including 4.13
32 * Certain versions of IBM SecureWay running under Solaris and
33 Windows 2000
34 * Lotus Domino R5 Servers (Enterprise, Application, and Mail),
35 prior
36 to 5.0.7a
37 * Teamware Office for Windows NT and Solaris, prior to version
38 5.3ed1
39 * Qualcomm Eudora WorldMail for Windows NT, version 2
40 * Microsoft Exchange 5.5 LDAP Service (Hotfix pending)
41 * Network Associates PGP Keyserver 7.0, prior to Hotfix 2
42 * Oracle 8i Enterprise Edition
43 * OpenLDAP, 1.x prior to 1.2.12 and 2.x prior to 2.0.8
44
45 Overview
46
47 Several implementations of the Lightweight Directory Access Protocol
48 (LDAP) protocol contain vulnerabilities that may allow
49 denial-of-service attacks, unauthorized privileged access, or both.
50 If
51 your site uses any of the products listed in this advisory, the
52 CERT/CC
53 encourages you to follow the advice provided in the Solution section
54 below.
55
56 I. Description
57
58 The LDAP protocol provides access to directories that support the
59 X.500
60 directory semantics without requiring the additional resources of
61 X.500. A directory is a collection of information such as names,
62 addresses, access control lists, and cryptographic certificates.
63 Because LDAP servers are widely used in maintaining corporate contact
64 information and providing authentication services, any threats to
65 their
66 integrity or stability can jeopardize the security of an
67 organization.
68
69 To test the security of protocols like LDAP, the PROTOS project
70 presents a server with a wide variety of sample packets containing
71 unexpected values or illegally formatted data. This approach may
72 reveal
73 vulnerabilities that would not manifest themselves under normal
74 conditions. As a member of the PROTOS project consortium, the Oulu
75 University Secure Programming Group (OUSPG) co-developed and
76 subsequently used the PROTOS LDAPv3 test suite to study several
77 implementations of the LDAP protocol.
78
79 The PROTOS LDAPv3 test suite is divided into two main sections: the
80 "Encoding" section, which tests an LDAP server's response to packets
81 that violate the Basic Encoding Rules (BER), and the "Application"
82 section, which tests an LDAP server's response to packets that
83 trigger
84 LDAP-specific application anomalies. Each section is further divided
85 into "groups" that collectively exercise a particular encoding or
86 application feature. Finally, each group contains one or more "test
87 cases," which represent the network packets that are used to test
88 individual exceptional conditions.
89
90 By applying the PROTOS LDAPv3 test suite to a variety of popular
91 LDAP-enabled products, the OUSPG revealed the following
92 vulnerabilities:
93
94 VU#276944 - iPlanet Directory Server contains multiple
95 vulnerabilities
96 in LDAP handling code
97
98 The iPlanet Directory Server contains multiple vulnerabilities in
99 the code that processes LDAP requests.
100
101 In the encoding section of the test suite, this product had an
102 indeterminate number of failures in the group that tests invalid
103 BER length of length fields.
104
105 In the application section of the test suite, this product failed
106 four groups and had inconclusive results for an additional five
107 groups. The four failed groups indicate the presence of buffer
108 overflow vulnerabilities. For the inconclusive groups, the
109 product
110 exhibited suspicious behavior while testing for format string
111 vulnerabilities.
112
113 VU#505564 - IBM SecureWay Directory is vulnerable to
114 denial-of-service
115 attacks via LDAP handling code
116
117 The IBM SecureWay Directory server contains one or more
118 vulnerabilities in the code that processes LDAP requests. These
119 vulnerabilities were discovered independently by IBM using the
120 PROTOS LDAPv3 test suite. The CERT/CC is not currently aware of
121 the
122 nature of these vulnerabilities.
123
124 VU#583184 - Lotus Domino R5 Server Family contains multiple
125 vulnerabilities in LDAP handling code
126
127 The Lotus Domino R5 Server Family (including the Enterprise,
128 Application, and Mail servers) contains multiple vulnerabilities
129 in
130 the code that processes LDAP requests.
131
132 In the encoding section of the test suite, this product failed 1
133 of
134 77 groups. The failed group tests a server's response to
135 miscellaneous packets with semi-valid BER encodings.
136
137 In the application section of the test suite, this product failed
138 23 of 77 groups. These results suggest that both buffer overflow
139 and format string vulnerabilities are likely to be present in a
140 variety of application components.
141
142 VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP
143 handling code
144
145 The Teamware Office suite is packaged with a combination
146 X.500/LDAP
147 server that provides directory services. Multiple versions of the
148 Office product contain vulnerabilities that cause the LDAP server
149 to crash in response to traffic sent by the PROTOS LDAPv3 test
150 suite.
151
152 In the encoding section of the test suite, this product failed 9
153 of
154 16 groups involving invalid encodings for several BER object
155 types.
156
157 In the application section of the test suite, this product failed
158 4
159 of 32 groups. The remaining 45 groups were not exercised during
160 the
161 test runs. The four failed groups indicate the presence of buffer
162 overflow vulnerabilities.
163
164 VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail
165 Server LDAP handling code
166
167 While investigating the vulnerabilities reported by OUSPG, it was
168 brought to our attention that the Eudora WorldMail Server may
169 contain vulnerabilities that can be triggered via the PROTOS test
170 suite. The CERT/CC has reported this possibility to Qualcomm and
171 an
172 investigation is pending.
173
174 VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to
175 denial-of-service attacks
176
177 The Microsoft Exchange 5.5 LDAP Service contains a vulnerability
178 that causes the LDAP server to freeze in response to malformed
179 LDAP
180 requests generated by the PROTOS test suite. This only affects
181 the
182 LDAP service; all other Exchange services, including mail
183 handling,
184 continue normally.
185
186 Although this product was not included in OUSPG's initial
187 testing,
188 subsequent informal testing revealed that the LDAP service of the
189 Microsoft Exchange 5.5 became unresponsive while processing test
190 cases containing exceptional BER encodings for the LDAP filter
191 type
192 field.
193
194 VU#765256 - Network Associates PGP Keyserver contains multiple
195 vulnerabilities in LDAP handling code
196
197 The Network Associates PGP Keyserver 7.0 contains multiple
198 vulnerabilities in the code that processes LDAP requests.
199
200 In the encoding section of the test suite, this product failed 12
201 of 16 groups.
202
203 In the application section of the test suite, this product failed
204 1
205 of 77 groups. The failed group focused on out-of-bounds integer
206 values for the messageID parameter. Due to a peculiarity of this
207 test group, this failure may actually represent an encoding
208 failure.
209
210 VU#869184 - Oracle 8i Enterprise Edition contains multiple
211 vulnerabilities in LDAP handling code
212
213 The Oracle 8i Enterprise Edition server contains multiple
214 vulnerabilities in the code used to process LDAP requests.
215
216 In the encoding section of the test suite, this product failed an
217 indeterminate number of test cases in the group that tests a
218 server's response to invalid encodings of BER OBJECT-IDENTIFIER
219 values.
220
221 In the application section of the test suite, this product failed
222 46 of 77 groups. These results suggest that both buffer overflow
223 and format string vulnerabilities are likely to be present in a
224 variety of application components.
225
226 VU#935800 - Multiple versions of OpenLDAP are vulnerable to
227 denial-of-service attacks
228
229 There are multiple vulnerabilities in the OpenLDAP
230 implementations
231 of the LDAP protocol. These vulnerabilities exist in the code
232 that
233 translates network datagrams into application-specific
234 information.
235
236 In the encoding section of the test suite, this product failed
237 the
238 group that tests the handling of invalid BER length of length
239 fields.
240
241 In the application section of the test suite, this product passed
242 all 6685 test cases.
243
244 Additional Information
245
246 For the most up-to-date information regarding these vulnerabilities,
247 please visit the CERT/CC Vulnerability Notes Database at:
248
249 http://www.kb.cert.org/vuls/
250
251 Please note that the test results summarized above should not be
252 interpreted as a statement of overall software quality. However, the
253 CERT/CC does believe that these results are useful in describing the
254 characteristics of these vulnerabilities. For example, an application
255 that fails multiple groups indicates that problems exist in different
256 areas of the code, rather than in a specific code segment.
257
258 II. Impact
259
260 VU#276944 - iPlanet Directory Server contains multiple
261 vulnerabilities
262 in LDAP handling code
263
264 One or more of these vulnerabilities allow a remote attacker to
265 execute arbitrary code with the privileges of the Directory
266 Server.
267 The server typically runs with system privileges. At least one of
268 these vulnerabilities has been successfully exploited in a
269 laboratory environment under Windows NT 4.0, but they may affect
270 other platforms as well.
271
272 VU#505564 - IBM SecureWay Directory is vulnerable to
273 denial-of-service
274 attacks via LDAP handling code
275
276 These vulnerabilities allow a remote attacker to crash affected
277 SecureWay Directory servers, resulting in a denial-of-service
278 condition. It is not known at this time whether these
279 vulnerabilities will allow a remote attacker to execute arbitrary
280 code. These vulnerabilities exist on the Solaris and Windows 2000
281 platforms but are not present under Windows NT, AIX, and AIX with
282 SSL.
283
284 VU#583184 - Lotus Domino R5 Server Family contains multiple
285 vulnerabilities in LDAP handling code
286
287 One or more of these vulnerabilities allow a remote attacker to
288 execute arbitrary code with the privileges of the Domino
289 server. The server typically runs with system privileges. At
290 least
291 one of these vulnerabilities has been successfully exploited in a
292 laboratory environment.
293
294 VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP
295 handling code
296
297 These vulnerabilities allow a remote attacker to crash affected
298 Teamware LDAP servers, resulting in a denial-of-service
299 condition.
300 They may also allow a remote attacker to execute arbitrary code
301 with the privileges of the Teamware server. The server typically
302 runs with system privileges.
303
304 VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail
305 Server LDAP handling code
306
307 The CERT/CC has not yet determined the impact of this
308 vulnerability.
309
310 VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to
311 denial-of-service attacks
312
313 This vulnerability allows a remote attacker to crash the LDAP
314 component of vulnerable Exchange 5.5 servers, resulting in a
315 denial-of-service condition within the LDAP component.
316
317 VU#765256 - Network Associates PGP Keyserver contains multiple
318 vulnerabilities in LDAP handling code
319
320 One or more of these vulnerabilities allow a remote attacker to
321 execute arbitrary code with the privileges of the Keyserver. The
322 server typically runs with system privileges. At least one of
323 these
324 vulnerabilities has been successfully exploited in a laboratory
325 environment.
326
327 VU#869184 - Oracle 8i Enterprise Edition contains multiple
328 vulnerabilities in LDAP handling code
329
330 One or more of these vulnerabilities allow a remote attacker to
331 execute arbitrary code with the privileges of the Oracle
332 server. The server typically runs with system privileges. At
333 least
334 one of these vulnerabilities has been successfully exploited in a
335 laboratory environment.
336
337 VU#935800 - Multiple versions of OpenLDAP are vulnerable to
338 denial-of-service attacks
339
340 These vulnerabilities allow a remote attacker to crash affected
341 OpenLDAP servers, resulting in a denial-of-service condition.
342
343 III. Solution
344
345 Apply a patch from your vendor
346
347 Appendix A contains information provided by vendors for this
348 advisory.
349 Please consult this appendix to determine if you need to contact your
350 vendor directly.
351
352 Block access to directory services at network perimeter
353
354 As a temporary measure, it is possible to limit the scope of these
355 vulnerabilities by blocking access to directory services at the
356 network perimeter. Please note that this workaround does not protect
357 vulnerable products from internal attacks.
358
359 ldap 389/tcp # Lightweight Directory Access Protocol
360 ldap 389/udp # Lightweight Directory Access Protocol
361 ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap)
362 ldaps 636/udp # ldap protocol over TLS/SSL (was sldap)
363
364 Appendix A. - Vendor Information
365
366 This appendix contains information provided by vendors for this
367 advisory. As vendors report new information to the CERT/CC, we will
368 update this section and note the changes in our revision history. If
369 a
370 particular vendor is not listed below, we have not received their
371 comments.
372
373 IBM Corporation
374
375 IBM and Tivoli are currently investigating the details of the
376 vulnerabilities in the various versions of the SecureWay product
377 family.
378
379 Fixes are being implemented as these details become known.
380
381 Fixes will be posted to the download sites (IBM or Tivoli) for the
382 affected platform. See http://www-1.ibm.com/support under "Server
383 Downloads" or "Software Downloads" for links to the fix distribution
384 sites.
385
386 iPlanet E-Commerce Solutions
387
388 [CERT/CC Addendum: These vulnerabilities were originally discovered
389 in
390 Directory Server 5.0 Beta and were later found to exist in versions
391 up
392 to and including version 4.13. These vulnerabilities have been
393 addressed in the released version of Directory Server 5.0.]
394
395 Lotus Development Corporation
396
397 Lotus reproduced the problem as reported by OUSPG and documented it
398 in
399 SPR#DWUU4W6NC8.
400
401 Lotus considers security issues as top priority, so we acted quickly
402 to resolve the problem in a maintenance update to Domino. It was
403 addressed in Domino R5.0.7a, which was released on May 18th, 2001.
404 This release can be downloaded from Notes.net at
405
406 http://www.notes.net/qmrdown.nsf/qmrwelcome.
407
408 The fix is documented in the fix list at
409
410
411 http://www.notes.net/r5fixlist.nsf/Search!SearchView&Query=DWUU
412 4W6NC8
413
414 Microsoft Corporation
415
416 Microsoft is developing a hotfix for this issue which will be
417 available shortly.
418
419 Customers can obtain this hotfix by contacting Product Support
420 Services at no charge and asking for Q303448 and Q303450. Information
421 on contacting Microsoft Product Support Services can be found at
422
423 http://www.microsoft.com/support/
424
425 Network Associates, Inc.
426
427 Network Associates has resolved these vulnerabilities in Hotfix 2 for
428 both Solaris and Windows NT. All Network Associates Enterprise
429 Support
430 customers have been notified and have been provided access to the
431 Hotfix.
432
433 This Hotfix can be downloaded at
434
435 http://www.pgp.com/downloads/default.asp
436
437 The OpenLDAP Project
438
439 [CERT/CC Addendum: To address these vulnerabilities, the OpenLDAP
440 Project has released OpenLDAP 1.2.12 for use in LDAPv2 environments
441 and OpenLDAP 2.0.8 for use in LDAPv3 environments. The CERT/CC
442 recommends that users of OpenLDAP contact their software vendor or
443 obtain the latest version, available at
444 http://www.openLDAP.org/software/download/.]
445
446 QUALCOMM Incorporated
447
448 The LDAP service in WorldMail may be vulnerable to this exploit, but
449 our tests so far have been inconclusive. At this time, we strongly
450 urge all WorldMail customers to ensure that the LDAP service is not
451 accessible from outside their organization nor by untrusted users.
452
453 The Teamware Group
454
455 An issue has been discovered with Teamware Office Enterprise
456 Directory
457 (LDAP server) that shows a abnormal termination or loop when the LDAP
458 server encounters a maliciously or incorrectly created LDAP request
459 data.
460
461 If the maliciously formatted LDAP request data is requested, the LDAP
462 server may excessively copy the LDAP request data to the stack area.
463
464 This overflow is likely to cause execution of malicious code. In
465 other
466 case, the LDAP server may go into abnormal termination or infinite
467 loop.
468
469 [CERT/CC Addendum: Teamware has provided additional documentation of
470 these issues in their "Teamware Solution Database," available at
471 http://support.teamw.com/Online/s_database1.shtml. Registered users
472 can find information on these vulnerabilities by searching for
473 document #010703-0000 for Windows NT or document #010703-0001 for
474 Solaris.]
475
476 Appendix B. - Supplemental Information
477
478 The PROTOS Project
479
480 The PROTOS project is a research partnership between the University
481 of
482 Oulu and VTT Electronics, an independent research organization owned
483 by the Finnish government. The project studies methods by which
484 protocol implementations can be tested for information security
485 defects.
486
487 Although the vulnerabilities discussed in this advisory relate
488 specifically to the LDAP protocol, the methodology used to research,
489 develop, and deploy the PROTOS LDAPv3 test suite can be applied to
490 any
491 communications protocol.
492
493 For more information on the PROTOS project and its collection of test
494 suites, please visit
495
496 http://www.ee.oulu.fi/research/ouspg/protos/
497
498 ASN.1 and the BER
499
500 Abstract Syntax Notation One (ASN.1) is a flexible notation that
501 allows one to define a variety data types. The Basic Encoding Rules
502 (BER) describe how to represent or encode the values of each ASN.1
503 type as a string of octets. This allow programmers to encode and
504 decode data for platform-independent transmission over a network.
505
506 References
507
508 The following is a list of URLs referenced in this advisory as well
509 as
510 other useful sources of information:
511
512 http://www.cert.org/advisories/CA-2001-18.html
513 http://www.ietf.org/rfc/rfc2116.txt
514 http://www.ietf.org/rfc/rfc2251.txt
515 http://www.ietf.org/rfc/rfc2252.txt
516 http://www.ietf.org/rfc/rfc2253.txt
517 http://www.ietf.org/rfc/rfc2254.txt
518 http://www.ietf.org/rfc/rfc2255.txt
519 http://www.ietf.org/rfc/rfc2256.txt
520 http://www.ee.oulu.fi/research/ouspg/protos/
521
522 http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/
523 http://www.kb.cert.org/vuls/
524 http://www.kb.cert.org/vuls/id/276944
525 http://www.kb.cert.org/vuls/id/505564
526 http://www.kb.cert.org/vuls/id/583184
527 http://www.kb.cert.org/vuls/id/688960
528 http://www.kb.cert.org/vuls/id/717380
529 http://www.kb.cert.org/vuls/id/763400
530 http://www.kb.cert.org/vuls/id/765256
531 http://www.kb.cert.org/vuls/id/869184
532 http://www.kb.cert.org/vuls/id/935800
533 _________________________________________________________________
534
535 The CERT Coordination Center thanks the Oulu University Secure
536 Programming Group for reporting these vulnerabilities to us, for
537 their
538 detailed technical analyses, and for their assistance in preparing
539 this advisory. We also thank the many vendors who provided feedback
540 regarding their respective vulnerabilities.
541 _________________________________________________________________
542
543 Authors: Jeffrey P. Lanza and Cory F. Cohen. Feedback on this
544 advisory
545 is greatly appreciated.
546
547 ______________________________________________________________________
548
549 This document is available from:
550 http://www.cert.org/advisories/CA-2001-18.html
551
552 ______________________________________________________________________
553
554 CERT/CC Contact Information
555
556 Email: cert@××××.org
557 Phone: +1 412-268-7090 (24-hour hotline)
558 Fax: +1 412-268-6989
559 Postal address:
560 CERT Coordination Center
561 Software Engineering Institute
562 Carnegie Mellon University
563 Pittsburgh PA 15213-3890
564 U.S.A.
565
566 CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
567 Monday through Friday; they are on call for emergencies during other
568 hours, on U.S. holidays, and on weekends.
569
570 Using encryption
571
572 We strongly urge you to encrypt sensitive information sent by email.
573 Our public PGP key is available from
574
575 http://www.cert.org/CERT_PGP.key
576
577 If you prefer to use DES, please call the CERT hotline for more
578 information.
579
580 Getting security information
581
582 CERT publications and other security information are available from
583 our web site
584
585 http://www.cert.org/
586
587 To subscribe to the CERT mailing list for advisories and bulletins,
588 send email to majordomo@××××.org. Please include in the body of your
589 message
590
591 subscribe cert-advisory
592
593 * "CERT" and "CERT Coordination Center" are registered in the U.S.
594 Patent and Trademark Office.
595
596 ______________________________________________________________________
597
598 NO WARRANTY
599 Any material furnished by Carnegie Mellon University and the Software
600 Engineering Institute is furnished on an "as is" basis. Carnegie
601 Mellon University makes no warranties of any kind, either expressed
602 or
603 implied as to any matter including, but not limited to, warranty of
604 fitness for a particular purpose or merchantability, exclusivity or
605 results obtained from use of the material. Carnegie Mellon University
606 does not make any warranty of any kind with respect to freedom from
607 patent, trademark, or copyright infringement.
608 _________________________________________________________________
609
610 Conditions for use, disclaimers, and sponsorship information
611
612 Copyright 2001 Carnegie Mellon University.
613
614 Revision History
615 Jul 16, 2001: Initial release
616
617 -----BEGIN PGP SIGNATURE-----
618 Version: PGPfreeware 5.0i for non-commercial use
619 Charset: noconv
620
621 iQCVAwUBO1O5eQYcfu8gsZJZAQGupwQAikpVVn5wK0o9Kzdl3wjFf2jEhbyr3Ngz
622 ycfKTYp8GfaKvKf9HzM/861WBmAkRIkChM+t9mQZ2FuH6nNMzfYRputHb3MK5w18
623 8EOE/stQbV0kDgXxi078ELkvZy4tqrNhd7KXNtsFCPvwo7XTrJJFLTpCS5Nltheq
624 PaynurnhNrw=
625 =mEjW
626 -----END PGP SIGNATURE-----
627
628 ----- End forwarded message -----
629
630 --
631 Ben Lutgens
632 Sistina Software Inc.
633 Kernel panic: I have no root and I want to scream

Replies

Subject Author
Re: [gentoo-dev] Sec Advisory for the old openldap packages in portage. Ben Lutgens <blutgens@×××××××.com>
Report Message
Find on MARC Find on Google Groups