Libuser LDAP Account Creation Default Password May Let Users Bypass Security Controls
|
|
SecurityTracker Alert ID: 1024960 |
|
SecurityTracker URL: http://securitytracker.com/id/1024960
|
|
CVE Reference:
CVE-2011-0002
(Links to External Site)
|
Date: Jan 13 2011
|
Impact:
Modification of authentication information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 0.57
|
Description:
A vulnerability was reported in Libuser. A remote or local user can bypass security controls.
The software may create LDAP users with default passwords. A remote or local user can login using a default password.
The specific impact depends on the application that uses libuser.
|
Impact:
A remote or local user can bypass password access controls in certain cases.
|
Solution:
The vendor has issued a fix (0.57).
The vendor's advisory is available at:
https://fedorahosted.org/libuser/browser/NEWS?rev=1579%3A1114f9b1a156
|
Vendor URL: fedorahosted.org/libuser/ (Links to External Site)
|
Cause:
Access control error, State error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 13 Jan 2011 22:11:25 +0000
Subject: libuser
|
CVE-2011-0002
https://fedorahosted.org/libuser/browser/NEWS?rev=1579%3A1114f9b1a156
0.57
* Resolve an ambiguity about "password" value format that could cause setting
a known plaintext password in LDAP accounts: the "files"/"shadow" and LDAP
modules may not be used together any more, and the module interface ABI has
changed to support this.
* Don't authenticate the user (in lchfn, lchsh, lpasswd) if the application
is not set*id and it does not need elevated privileges. In particular, this
allows the above programs to be used for LDAP administration by unprivileged
users.
* Change default crypt_style to sha512.
* Don't abort on invalid ID values.
* Miscellaneous bug fixes.
|
|
