Unknown vulnerability in pam_ldap before 180 does not properly handle a new password policy control, which could allow attackers to gain privileges. NOTE: CVE-2005-2497 had also been assigned to this issue, but CVE-2005-2641 is the correct candidate.

The remote BIG-IP device is missing a patch required by a security advisory.

Updated openldap and nss_ldap packages that correct a potential password disclosure issue and possible authentication vulnerability are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools.

The nss_ldap module is an extension for use with GNU libc which allows applications to, without internal modification, consult a directory service using LDAP to supplement information that would be read from local files such as /etc/passwd, /etc/group, and /etc/shadow.

A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP servers. If a client connection is referred to a different server, it is possible that the referred connection will not be encrypted even if the client has 'ssl start_tls' in its ldap.conf file. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2069 to this issue.

A bug was found in the way the pam_ldap module processed certain failure messages. If the server includes supplemental data in an authentication failure result message, but the data does not include any specific error code, the pam_ldap module would proceed as if the authentication request had succeeded, and authentication would succeed. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2641 to this issue.

Additionally the following issues are corrected in this erratum.

  - The OpenLDAP upgrading documentation has been updated.

  - Fix a database deadlock locking issue.

  - A fix where slaptest segfaults on exit after successful     check.

  - The library libslapd_db-4.2.so is now located in an     architecture-dependent directory.

  - The LDAP client no longer enters an infinite loop when     the server returns a reference to itself.

  - The pam_ldap module adds the ability to check user     passwords using a directory server to PAM-aware     applications.

  - The directory server can now include supplemental     information regarding the state of the user's account if     a client indicates that it supports such a feature.

All users of OpenLDAP and nss_ldap are advised to upgrade to these updated packages, which contain backported fixes that resolve these issues.

Luke Howard reports :

If a pam_ldap client authenticates against an LDAP server that returns a passwordPolicyResponse control, but omits the optional 'error' field of the PasswordPolicyResponseValue, then the LDAP authentication result will be ignored and the authentication step will always succeed.

A bug was found in the way the pam_ldap module processed certain failure messages. If the server includes supplemental data in an authentication failure result message, but the data does not include any specific error code, the pam_ldap module would proceed as if the authentication request had succeeded, and authentication would succeed. This affects versions 169 through 179 of pam_ldap.

The updated packages have been patched to address this issue.

The remote Redhat Enterprise Linux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2005:767 advisory.

    OpenLDAP is an open source suite of LDAP (Lightweight Directory Access     Protocol) applications and development tools.

    The nss_ldap module is an extension for use with GNU libc which allows     applications to, without internal modification, consult a directory service     using LDAP to supplement information that would be read from local files     such as /etc/passwd, /etc/group, and /etc/shadow.

    A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP     servers. If a client connection is referred to a different server, it is     possible that the referred connection will not be encrypted even if the     client has ssl start_tls in its ldap.conf file. The Common     Vulnerabilities and Exposures project has assigned the name CAN-2005-2069     to this issue.

    A bug was found in the way the pam_ldap module processed certain failure     messages. If the server includes supplemental data in an authentication     failure result message, but the data does not include any specific error     code, the pam_ldap module would proceed as if the authentication request     had succeeded, and authentication would succeed. The Common Vulnerabilities     and Exposures project has assigned the name CAN-2005-2641 to this issue.

    Additionally the following issues are corrected in this erratum.

    - The OpenLDAP upgrading documentation has been updated.

    - Fix a database deadlock locking issue.

    - A fix where slaptest segfaults on exit after successful check.

    - The library libslapd_db-4.2.so is now located in an       architecture-dependent directory.

    - The LDAP client no longer enters an infinite loop when the server returns       a reference to itself.

    - The pam_ldap module adds the ability to check user passwords using a       directory server to PAM-aware applications.

    - The directory server can now include supplemental information regarding       the state of the user's account if a client indicates that it supports       such a feature.

    All users of OpenLDAP and nss_ldap are advised to upgrade to these updated     packages, which contain backported fixes that resolve these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-200508-22 (pam_ldap: Authentication bypass vulnerability)

    When a pam_ldap client attempts to authenticate against an LDAP     server that omits the optional error value from the     PasswordPolicyResponseValue, the authentication attempt will always     succeed.
  Impact :

    A remote attacker may exploit this vulnerability to bypass the     LDAP authentication mechanism, gaining access to the system possibly     with elevated privileges.
  Workaround :

    There is no known workaround at this time.

It has been discovered that libpam-ldap, the Pluggable Authentication Module allowing LDAP interfaces, ignores the result of an attempt to authenticate against an LDAP server that does not set an optional data field.

ID	Name	Product	Family	Severity
78211	F5 Networks BIG-IP : pam_ldap vulnerability (SOL6634)	Nessus	F5 Networks Local Security Checks	high
78207	F5 Networks BIG-IP : pam_ldap password policy control vulnerability (SOL5725)	Nessus	F5 Networks Local Security Checks	high
21961	CentOS 4 : openldap / nss_ldap (CESA-2005:767)	Nessus	CentOS Local Security Checks	high
21413	FreeBSD : pam_ldap -- authentication bypass vulnerability (38c76fcf-1744-11da-978e-0001020eed82)	Nessus	FreeBSD Local Security Checks	high
20120	Mandrake Linux Security Advisory : nss_ldap (MDKSA-2005:190)	Nessus	Mandriva Local Security Checks	high
20046	RHEL 4 : openldap and nss_ldap (RHSA-2005:767)	Nessus	Red Hat Local Security Checks	critical
19575	GLSA-200508-22 : pam_ldap: Authentication bypass vulnerability	Nessus	Gentoo Local Security Checks	high
19528	Debian DSA-785-1 : libpam-ldap - authentication bypass	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2005-2641

critical

Tenable Plugins

high

high

high

high

high

critical

high

high