pam_ldap and nss_ldap, when used with OpenLDAP and connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which may cause a password to be sent in cleartext and allows remote attackers to sniff the password.

Updated openldap and nss_ldap packages that correct a potential password disclosure issue and possible authentication vulnerability are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools.

The nss_ldap module is an extension for use with GNU libc which allows applications to, without internal modification, consult a directory service using LDAP to supplement information that would be read from local files such as /etc/passwd, /etc/group, and /etc/shadow.

A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP servers. If a client connection is referred to a different server, it is possible that the referred connection will not be encrypted even if the client has 'ssl start_tls' in its ldap.conf file. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2069 to this issue.

A bug was found in the way the pam_ldap module processed certain failure messages. If the server includes supplemental data in an authentication failure result message, but the data does not include any specific error code, the pam_ldap module would proceed as if the authentication request had succeeded, and authentication would succeed. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2641 to this issue.

Additionally the following issues are corrected in this erratum.

  - The OpenLDAP upgrading documentation has been updated.

  - Fix a database deadlock locking issue.

  - A fix where slaptest segfaults on exit after successful     check.

  - The library libslapd_db-4.2.so is now located in an     architecture-dependent directory.

  - The LDAP client no longer enters an infinite loop when     the server returns a reference to itself.

  - The pam_ldap module adds the ability to check user     passwords using a directory server to PAM-aware     applications.

  - The directory server can now include supplemental     information regarding the state of the user's account if     a client indicates that it supports such a feature.

All users of OpenLDAP and nss_ldap are advised to upgrade to these updated packages, which contain backported fixes that resolve these issues.

Updated openldap and nss_ldap packages that correct a potential password disclosure issue are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools.

The nss_ldap module is an extension for use with GNU libc which allows applications to, without internal modification, consult a directory service using LDAP to supplement information that would be read from local files such as /etc/passwd, /etc/group, and /etc/shadow.

A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP servers. If a client connection is referred to a different server, it is possible that the referred connection will not be encrypted even if the client has 'ssl start_tls' in its ldap.conf file. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2069 to this issue.

A bug was also found in the way certain OpenLDAP authentication schemes store hashed passwords. A remote attacker could re-use a hashed password to gain access to unauthorized resources. The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-0823 to this issue.

All users of OpenLDAP and nss_ldap are advised to upgrade to these updated packages, which contain backported fixes that resolve these issues.

Andrea Barisani discovered a flaw in the SSL handling of pam-ldap and libnss-ldap. When a client connected to a slave LDAP server using SSL, the slave server did not use SSL as well when contacting the LDAP master server. This caused passwords and other confident information to be transmitted unencrypted between the slave and the master.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2005:767 advisory.

  - security flaw (CVE-2005-2069, CVE-2005-2641)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It has been discovered that libpam-ldap, the Pluggable Authentication Module allowing LDAP interfaces, ignores the result of an attempt to authenticate against an LDAP server that does not set an optional data field.

Rob Holland, of the Gentoo Security Audit Team, discovered that pam_ldap and nss_ldap would not use TLS for referred connections if they are referred to a master after connecting to a slave, regardless of the 'ssl start_tls' setting in ldap.conf.

As well, a bug in nss_ldap in Corporate Server and Mandrake 10.0 has been fixed that caused crond, and other applications, to crash as a result of clients receiving a SIGPIPE signal when attempting to issue a new search request to a directory server that is no longer available.

The updated packages have been patched to address this issue.

The remote host is affected by the vulnerability described in GLSA-200507-13 (pam_ldap and nss_ldap: Plain text authentication leak)

    Rob Holland of the Gentoo Security Audit Team discovered that     pam_ldap and nss_ldap fail to use TLS for referred connections if they     are referred to a master after connecting to a slave, regardless of the     'ssl start_tls' ldap.conf setting.
  Impact :

    An attacker could sniff passwords or other sensitive information     as the communication is not encrypted.
  Workaround :

    pam_ldap and nss_ldap can be set to force the use of SSL instead     of TLS.

ID	Name	Product	Family	Severity
21961	CentOS 4 : openldap / nss_ldap (CESA-2005:767)	Nessus	CentOS Local Security Checks	high
21852	CentOS 3 : openldap / nss_ldap (CESA-2005:751)	Nessus	CentOS Local Security Checks	high
20553	Ubuntu 4.10 / 5.04 : openldap2, libpam-ldap, libnss-ldap vulnerabilities (USN-152-1)	Nessus	Ubuntu Local Security Checks	medium
20046	RHEL 4 : openldap and nss_ldap (RHSA-2005:767)	Nessus	Red Hat Local Security Checks	critical
20044	RHEL 2.1 / 3 : openldap and nss_ldap (RHSA-2005:751)	Nessus	Red Hat Local Security Checks	high
19528	Debian DSA-785-1 : libpam-ldap - authentication bypass	Nessus	Debian Local Security Checks	high
19226	Mandrake Linux Security Advisory : nss_ldap (MDKSA-2005:121)	Nessus	Mandriva Local Security Checks	medium
19200	GLSA-200507-13 : pam_ldap and nss_ldap: Plain text authentication leak	Nessus	Gentoo Local Security Checks	medium

Detections

Analytics

CVE-2005-2069

critical

Tenable Plugins

high

high

medium

critical

high

high

medium

medium