SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   InJoin Directory Server Vendors:   Critical Path
Critical Path's InJoin LDAP Directory Server Can Be Crashed By Remote Users and May Allow Remote Users to Execute Arbitrary Code and Gain Elevated Privileges
SecurityTracker Alert ID:  1002123
SecurityTracker URL:  http://securitytracker.com/id/1002123
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 1 2001
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network


Description:   It is reported that Critical Path's InJoin LDAP directory servers can be crashed by remote users and may allow remote users to execute arbitrary code to gain elevated privileges on the server.

No additional details are available.

This vulnerability is the same LDAP vulnerability described in CERT Advisory CA-2001-18 ("Multiple Vulnerabilities in Several Implementations of the Lightweight Directory Access Protocol"), dated July 16, 2001. The Critical Path InJoin server was not included in the CERT advisory.

Impact:   A remote user can cause the LDAP server to crash and may allow remote users to execute arbitrary code to gain elevated privileges on the server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.cp.net/products/injoin_dirserver_overview.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (AIX), UNIX (HP/UX), UNIX (SGI/IRIX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  RE: CERT Advisory CA-2001-18, Critical Path directory products ar


> -----Original Message-----
> From: aleph1@securityfocus.com [mailto:aleph1@securityfocus.com]
> Sent: Tuesday, July 17, 2001 4:55 PM
> To: bugtraq@securityfocus.com
> Subject: CERT Advisory CA-2001-18
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> CERT Advisory CA-2001-18 Multiple Vulnerabilities in Several
> Implementations of the Lightweight Directory Access Protocol (LDAP)
> 
>    Original release date: July 16, 2001
>    Last revised: --
>    Source: CERT/CC
> 
>    A complete revision history can be found at the end of this file.
> 
> Systems Affected
We've just got confirmation that Critical Path's line of LDAP directories
(http://www.cp.net/) are susceptible to the LDAP vulnerabilities in this
CERT announcement.  I am sending out this email to make sure that all
ICL/Peerlogic i500 and InJoin/ GDS administrators are made aware of the
vulnerabilities.  Critical Path has not publicly announced this
vulnerability yet, but I'm sure that hackers/crackers already know.  I am
disappointed in Critical Path for not even testing for these vulnerabilities
until pressure was put on them through resellers and for not public ally
announcing it so that administrators are made aware.

If you are an administrator of one of these products, please contact
Critical Path or your reseller to pressure Critical Path on providing the
patches quickly.  Also, if you have a public ally accessible LDAP server
from Critical Path, I'd block it from the Internet until patches are
installed.

Ron Ogle
(These are mine own opinions and not of my company.)

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC