IBM Tivoli Directory Server < 6.1.0.47 / 6.2.0.22 / 6.3.0.11 Multiple Vulnerabilities (credentialed check)

medium Nessus Plugin ID 58814

Synopsis

The version of IBM Tivoli Directory Server contains multiple security vulnerabilities.

Description

According to its version, the installation of IBM Tivoli Directory Server on the remote host is prior to 6.1.0.47 / 6.2.0.22 / 6.3.0.11. It is, therefore, affected by one or more of the following vulnerabilities :

- A custom LDAP client can be created which causes IBM Tivoli Directory Server to crash by sending a malformed paged search request. (IO15707, IO16001, IO16002)

- In the default Tivoli Directory Server environment, with TLS enabled, the NULL-MD5, and NULL-SHA ciphers are enabled by default. (IO16035, IO16036, IOO15761)

Solution

Install the appropriate fix based on the vendor's advisory :

- 6.1.0.47-ISS-ITDS-IF0047
- 6.2.0.22-ISS-ITDS-IF0022
- 6.3.0.11-ISS-ITDS-IF0011

See Also

http://www.nessus.org/u?1609f9e3

http://www.nessus.org/u?b26c4617

http://www-01.ibm.com/support/docview.wss?uid=swg21591267

http://www-01.ibm.com/support/docview.wss?uid=swg21591272

Plugin Details

Severity: Medium

ID: 58814

File Name: tivoli_directory_svr_63011.nasl

Version: 1.7

Type: local

Agent: windows

Family: Windows

Published: 4/20/2012

Updated: 8/1/2018

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.7

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: cpe:/a:ibm:tivoli_directory_server

Required KB Items: installed_sw/IBM Security Directory Server

Exploit Ease: No known exploits are available

Patch Publication Date: 4/16/2012

Vulnerability Publication Date: 4/16/2012

Reference Information

CVE: CVE-2012-0726, CVE-2012-0743

BID: 53043