Date: 17 July 2001
References: ESB-2001.335 ESB-2001.343 ESB-2001.499 ESB-2003.0173
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-2001.04 AUSCERT Advisory
Multiple LDAP Vulnerabilities
17 July 2001
Last Revised: --
- ---------------------------------------------------------------------------
AusCERT has received information that multiple vulnerabilities exist in
several vendor implementations of LDAP (Lightweight Directory Access
Protocol).
These vulnerabilities may allow denial-of-service attacks, or permit the
remote execution of arbitrary code and/or commands that may lead to a root
compromise.
AusCERT encourages sites that use any of the products mentioned in this
advisory to take the steps outlined in section 3 as soon as possible.
This advisory will be updated as more information becomes available.
- ---------------------------------------------------------------------------
1. Description
The Lightweight Directory Access Protocol (LDAP) provides low-overhead
access to directories that support the X.500 model. A directory is a
collection of information such as names, addresses, access control
lists, and cryptographic certificates. Because directory servers are
widely used in maintaining corporate contact information and providing
authentication services, any threats to their integrity or stability
can jeopardize the security of an organization.
As a member of the PROTOS project consortium, the Oulu University Secure
Programming Group (OUSPG) has developed An LDAPv3 vulnerability test
suite to provide security testing of LDAP protocol implementations. By
creating a variety of sample packets containing unexpected values or
illegally formatted data, it may reveal vulnerabilities that would not
manifest themselves under normal conditions.
The test suite is divided into two main sections: the "Encoding"
section, which tests an LDAP server's response to Basic Encoding Rules
(BER) anomalies, and the "Application" section, which tests an LDAP
server's response to LDAP-specific application anomalies. Each section
is further divided into "groups" that collectively exercise a particular
encoding or application feature. Finally, each group contains one or
more "test cases", which represent the network packets that are used
to test individual exceptional conditions.
Following are summarised observations for a variety of popular
LDAP-enabled server products:
VU#276944 - iPlanet Directory Server contains multiple vulnerabilities
in LDAP handling code
The iPlanet Directory Server contains multiple vulnerabilities in
the code that processes LDAP requests.
This product exhibited failures in BER encoding testing, as well
as buffer overflow vulnerabilities (or at least suspicious behavior)
while testing for format string vulnerabilities.
VU#583184 - Lotus Domino R5 Server Family contains multiple
vulnerabilities in LDAP handling code
The Lotus Domino R5 Server Family (including Enterprise,
Application, and Mail servers) contains multiple vulnerabilities
in the code that processes LDAP requests.
This product failed a small number of BER test cases. Buffer
overflow and format string vulnerabilities were also present.
VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP
handling code
The Teamware Office suite is packaged with a combination X.500/LDAP
server that provides directory service. Multiple versions of the
Office product contain vulnerabilities that cause the LDAP server
to crash in response to traffic sent by the PROTOS LDAPv3 test
suite.
This product failed some BER encoding test cases involving invalid
encodings and had failures that indicated the presence of buffer
overflow vulnerabilities.
VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to
denial-of-service attacks
The Microsoft Exchange 5.5 LDAP Service contains a vulnerability
that causes the LDAP server to freeze in response to malformed LDAP
requests generated by the PROTOS test suite. This only affects the
LDAP service; all other Exchange services, including mail handling,
continue normally.
Although this product was not included in OUSPG's initial testing,
subsequent informal testing revealed that the LDAP service of the
Microsoft Exchange 5.5 became unresponsive while processing test
cases containing exceptional BER encodings for the LDAP filter type
field.
VU#765256 - Network Associates PGP Keyserver contains multiple
vulnerabilities in LDAP handling code
The Network Associates PGP Keyserver 7.0 contains multiple
vulnerabilities in the code used to process LDAP requests.
This product exhibited primarily encoding failures.
VU#869184 - Oracle 8i Enterprise Edition contains multiple
vulnerabilities in LDAP handling code
The Oracle 8i Enterprise Edition server contains multiple
vulnerabilities in the code used to process LDAP requests.
This product exhibited an indeterminate number of BER encoding
failures. Buffer overflow and format string vulnerabilities were
present in a variety of application components.
VU#935800 - Multiple versions of OpenLDAP are vulnerable to
denial-of-service attacks
There are multiple vulnerabilities in the OpenLDAP implementations
of the LDAP protocol. These vulnerabilities exist in the code that
translates network datagrams into application-specific information.
This product failed an indeterminate number of BER encoding test
cases, but passed all application test cases.
2. Impact
Vulnerabilities in LDAP implementations may allow remote users to perform
denial-of-service attacks, or to execute arbitrary code and/or commands
that may lead to a root compromise.
VU#276944 - iPlanet Directory Server contains multiple vulnerabilities
in LDAP handling code
One or more of these vulnerabilities allow a remote attacker to
execute arbitrary code with the permissions of the user (typically
a privileged user) running the Directory Server. At least one of
these vulnerabilities has been successfully exploited in a
laboratory environment under Windows NT 4.0, but these may affect
other platforms as well.
VU#583184 - Lotus Domino R5 Server Family contains multiple
vulnerabilities in LDAP handling code
One or more of these vulnerabilities allow a remote attacker to
execute arbitrary code with the permissions of the user (typically
a privileged user) running the Domino server. At least one of these
vulnerabilities has been successfully exploited in a laboratory
environment.
VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP
handling code
These vulnerabilities allow a remote attacker to crash affected
Teamware LDAP servers, resulting in a denial-of-service condition.
They may also allow a remote attacker to execute arbitrary code with
the permissions of the user (typically a privileged user) running
the Teamware server.
VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to
denial-of-service attacks
This vulnerability allows a remote attacker to crash the LDAP
component of vulnerable Exchange 5.5 servers, resulting in a
denial-of-service condition within the LDAP component.
VU#765256 - Network Associates PGP Keyserver contains multiple
vulnerabilities in LDAP handling code
One or more of these vulnerabilities allow a remote attacker to
execute arbitrary code with the permissions of the user (typically
a privileged user) running the Keyserver. At least one of these
vulnerabilities has been successfully exploited in a laboratory
environment.
VU#869184 - Oracle 8i Enterprise Edition contains multiple
vulnerabilities in LDAP handling code
One or more of these vulnerabilities allow a remote attacker to
execute arbitrary code with the permissions of the user (typically
a privileged user) running the Oracle server. At least one of these
vulnerabilities has been successfully exploited in a laboratory
environment.
VU#935800 - Multiple versions of OpenLDAP are vulnerable to
denial-of-service attacks
These vulnerabilities allow a remote attacker to crash affected
OpenLDAP servers, resulting in a denial-of-service condition.
3. Workarounds/Solution
Apply a patch from your vendor
Section 4a contains information provided by vendors for this advisory.
Please consult this section to see if you need to contact your vendor
directly.
Block access to directory services at network perimeter
As a temporary measure, it is possible to limit the scope of these
vulnerabilities by blocking access to directory services at the network
perimeter. Please note that this workaround does not protect vulnerable
products from internal attacks.
ldap 389/tcp # Lightweight Directory Access Protocol
ldap 389/udp # Lightweight Directory Access Protocol
ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap)
ldaps 636/udp # ldap protocol over TLS/SSL (was sldap)
4. Information
4a. Vendor Information
This section contains information provided by vendors for this advisory.
As vendors report new information, we will update this section and note
the changes in our revision history.
iPlanet E-Commerce Solutions
These vulnerabilities were originally discovered in Directory Server
5.0 Beta and later found to exist in versions up to and including
version 4.13. Vulnerabilities have been addressed in the released
version of Directory Server 5.0.
Lotus Development Corporation
Lotus reproduced the problem as reported by OUSPG and documented it in
SPR#DWUU4W6NC8.
"Lotus considers security issues as top priority, so we acted quickly
to resolve the problem in a maintenance update to Domino. It was
addressed in Domino R5.0.7a, which was released on May 18th, 2001."
This release can be downloaded from Notes.net at:
http://www.notes.net/qmrdown.nsf/qmrwelcome.
The fix is documented in the fix list at:
http://www.notes.net/r5fixlist.nsf/Search!SearchView&Query=DWUU4W6NC8
The Teamware Group
An issue has been discovered with Teamware Office Enterprise Directory
(LDAP server) that shows a abnormal termination or loop when the LDAP
server encounters a maliciously or incorrectly created LDAP request
data.
If the maliciously formatted LDAP request data is requested, the LDAP
server may excessively copy the LDAP request data to the stack area.
This overflow is likely to cause execution of malicious code. In other
case, the LDAP server may go into abnormal termination or infinite
loop.
Teamware has provided additional documentation of these issues in their
"Teamware Solution Database", available at:
http://support.teamw.com/Online/s_database1.shtml
Registered users can find information on these vulnerabilities by
searching for document #010703-0000 for Windows NT or document
#010703-0001 for Solaris.
Microsoft Corporation
Microsoft is developing a hotfix for this issue which will be available
shortly.
Customers can obtain this hotfix by contacting Product Support Services
at no charge and asking for Q303448 and Q303450. Information on
contacting Microsoft Product Support Services can be found at:
http://www.microsoft.com/support/
Network Associates, Inc.
Network Associates has resolved these vulnerabilities in Hotfix 2 for
both Solaris and Windows NT. All Network Associates Enterprise Support
customers have been notified and have been provided access to the
Hotfix.
This Hotfix can be downloaded at:
http://www.pgp.com/downloads/default.asp
Oracle Corporation
Sites are encouraged to contact Oracle for further updates on this
issue.
The OpenLDAP Project
To address these vulnerabilities, the OpenLDAP Project has released
OpenLDAP 1.2.12 for use in LDAPv2 environments and OpenLDAP 2.0.8 for
use in LDAPv3 environments. Users of OpenLDAP are encouraged to contact
their software vendor or obtain the latest version, available at:
http://www.openLDAP.org/software/download/
4b. Additional Information
The PROTOS Project
The PROTOS project is a research partnership between the University of
Oulu and VTT Electronics, an independent research organization owned
by the Finnish government. The project studies methods by which protocol
implementations can be tested for information security defects.
Although the vulnerabilities discussed in this advisory relate
specifically to the LDAP protocol, the methodology used to research,
develop, and deploy the PROTOS LDAPv3 test suite can be applied to any
communications protocol.
For more information on the PROTOS project and its collection of test
suites, please visit
http://www.ee.oulu.fi/research/ouspg/protos/
ASN.1 and the BER
Abstract Syntax Notation One (ASN.1) is a flexible notation that allows
one to define a variety data types. The Basic Encoding Rules (BER)
describe how to represent or encode the values of each ASN.1 type as
a string of octets. This allow programmers to encode and decode data
for platform-independent transmission over a network."
- ---------------------------------------------------------------------------
AusCERT thanks the CERT Coordination Center for assembling the information
contained in this advisory. Thanks also to the Oulu University Secure
Programming Group (OUSPG) for the technical analysis upon which this
advisory is based. Finally, thanks to all vendors who provided input to
this research.
- ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained in
this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AusCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AusCERT
Advisories, and other computer security information.
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPAOfnih9+71yA2DNAQGRvAP+KRtPSsp6324O8MrAEzT/PCjBKqJ1I5Iz
Bk2cq1p7ibO602WBV5pb47n4LHVc+IOTIqgIb0/KmKuNe/wmoSnzQOmhBdfuZ8pB
Lk9b6scbitxj+dbq8e6pGz4Aqv6XGDoqdg3TJa6YeAhqFOs6FXPq415yGvIxNdSc
Zws+En5ledA=
=sT9C
-----END PGP SIGNATURE-----
|