Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
OpenLDAP Stand-alone LDAP Server (slapd) Bug Lets Valid Remote Users Delete Attributes Without Authorization
|
|
SecurityTracker Alert ID: 1003260 |
|
SecurityTracker URL: http://securitytracker.com/id/1003260
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 16 2002
|
Impact:
Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2.0.20; possibly prior versions
|
Description:
A vulnerability was reported in OpenLDAP's standalone LDAP server. A remote user can delete attributes without authorization.
It is reported that the stand-alone LDAP server (slapd) version 2.0.x allows entities with access to the LDAP service to make an unauthorized replacement of the values of arbitrary attributes with an empty set of values, deleting the attribute completely.
A demonstration exploit transcript is provided in the Source Message.
|
Impact:
A remote user with access to the LDAP server can delete arbitrary attributes without authorization.
|
Solution:
The vendor has released a fixed version (2.0.21), available at:
http://www.openldap.org/software/download/
|
Vendor URL: www.openldap.org/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 16 Jan 2002 02:12:44 -0500
Subject: OpenLDAP unauthorized modification bug
|
OpenLDAP 2.0.21 (LDAPv3)
by OpenLDAP Project (http://freshmeat.net/users/openldap/)
Tuesday, January 15th 2002 16:50
Database Internet Software Development :: Libraries
About: The OpenLDAP Project is a collaborative effort to provide a
robust,
commercial-grade, fully featured, open source LDAP software suite. The
project is managed by a worldwide community of volunteers that use the
Internet to communicate, plan, and develop OpenLDAP Software and its
related documentation. OpenLDAP Software provides a complete LDAP
implementation including server, clients, C SDK, and associated tools.
Changes: A fix for a minor security issue and a number of non-security
related bugfixes. Users of previous OpenLDAP 2.0 versions, especially
versions prior 2.0.20 (which included a major security fix), should
upgrade
as soon as possible.
License: OSI Approved
URL: http://freshmeat.net/projects/openldap/
------------------------------------------------
From the changelog:
OpenLDAP 2.0.21 Release
Fix slapd empty string indexing/filtering handling
(ITS#1507)
Changed slapd ACL selfwrite replace logic (ITS#1530)
Build environment
Updated IPv6 configuration argument handling
Fix back-shell tools make depend bug (ITS#1518)
Removed extraneous files
------------------------------------------------
From the issue tracking system:
slapd 2.0.x, allows unauthorized entities to replace the values
of arbitrary attributes by an empty set of values, thus deleting
the attribute completely.
(This is true, if schema checking does not force the
existence of the attribute)
To demonstrate the problem for an environment, where anonymous
bind is not disabled, prepare a file 'rm-attr.ldif', with e.g.
the following contents:
dn: uid=some-mail-user,ou=people,dc=foo,dc=bar
replace: mail
Running
ldapmodify -x -f rm-attr.ldif
(assuming that URI and BASE are set in ldap.conf)
will delete all mail adresses of 'some-mail-user'.
This works even if you lock down access to
access to * by * none
To reproduce the bug for authenticated bind, e.g. if you have
disabled acceptance of anonymous bind requests, you need at
least
access to attr=userPassword by anonymous auth
and run ldapmodify binding as any user.
This misbehaviour is due to the implementation of acls in
servers/slapd/acl.c, where REPLACE requests are handled the same
way as ADD requests. REPLACE requests, however, delete all values
of the attribute in a first step, and replace by 'nothing' in
LDAP v3 means deleting the attribute itself.
Hence, an entity requesting REPLACE should need permission for
the current values to be deleted, and, like ADD requests,
permission to add its set of new values to the attribute.
[...]
|
|
Go to the Top of This SecurityTracker Archive Page
|
