pam_ldap in nss_ldap on Red Hat Enterprise Linux 4, Fedora Core 3 and earlier, and possibly other distributions does not return an error condition when an LDAP directory server responds with a PasswordPolicyResponse control response, which causes the pam_authenticate function to return a success code even if authentication has failed, as originally reported for xscreensaver.

From Red Hat Security Advisory 2006:0719 :

Updated nss_ldap packages that fix a security flaw are now available for Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

nss_ldap is a set of C library extensions that allow X.500 and LDAP directory servers to be used as primary sources for aliases, ethers, groups, hosts, networks, protocols, users, RPCs, services, and shadow passwords.

A flaw was found in the way nss_ldap handled a PasswordPolicyResponse control sent by an LDAP server. If an LDAP server responded to an authentication request with a PasswordPolicyResponse control, it was possible for an application using nss_ldap to improperly authenticate certain users. (CVE-2006-5170)

This flaw was only exploitable within applications which did not properly process nss_ldap error messages. Only xscreensaver is currently known to exhibit this behavior.

All users of nss_ldap should upgrade to these updated packages, which contain a backported patch that resolves this issue.

pam_ldap in nss_ldap does not return an error condition when an LDAP directory server responds with a PasswordPolicyResponse control response, which causes the pam_authenticate function to return a success code even if authentication has failed, as originally reported for xscreensaver. (CVE-2006-5170)

Updated nss_ldap packages that fix a security flaw are now available for Red Hat Enterprise Linux 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

nss_ldap is a set of C library extensions that allow X.500 and LDAP directory servers to be used as primary sources for aliases, ethers, groups, hosts, networks, protocols, users, RPCs, services, and shadow passwords.

A flaw was found in the way nss_ldap handled a PasswordPolicyResponse control sent by an LDAP server. If an LDAP server responded to an authentication request with a PasswordPolicyResponse control, it was possible for an application using nss_ldap to improperly authenticate certain users. (CVE-2006-5170)

This flaw was only exploitable within applications which did not properly process nss_ldap error messages. Only xscreensaver is currently known to exhibit this behavior.

All users of nss_ldap should upgrade to these updated packages, which contain a backported patch that resolves this issue.

pam_ldap did not return an error conditions correctly when an LDAP directory server responded with a PasswordPolicyResponse control response, which caused the pam_authenticate function to return a success code even if authentication has failed. (CVE-2006-5170)

Pam_ldap does not return an error condition when an LDAP directory server responds with a PasswordPolicyResponse control response, which causes the pam_authenticate function to return a success code even if authentication has failed, as originally reported for xscreensaver.
This might lead to an attacker being able to login into a suspended system account.

Updated packages have been patched to correct this issue.

The remote host is affected by the vulnerability described in GLSA-200612-19 (pam_ldap: Authentication bypass vulnerability)

    Steve Rigler discovered that pam_ldap does not correctly handle     'PasswordPolicyResponse' control responses from an LDAP directory. This     causes the pam_authenticate() function to always succeed, even if the     previous authentication failed.
  Impact :

    A locked user may exploit this vulnerability to bypass the LDAP     authentication mechanism, possibly gaining unauthorized access to the     system.
  Workaround :

    There is no known workaround at this time.

Steve Rigler discovered that the PAM module for authentication against LDAP servers processes PasswordPolicyReponse control messages incorrectly, which might lead to an attacker being able to login into a suspended system account.

ID	Name	Product	Family	Severity
67415	Oracle Linux 4 : nss_ldap (ELSA-2006-0719)	Nessus	Oracle Linux Local Security Checks	high
41103	SuSE9 Security Update : pam_ldap (YOU Patch Number 11259)	Nessus	SuSE Local Security Checks	high
36238	CentOS 4 : nss_ldap (CESA-2006:0719)	Nessus	CentOS Local Security Checks	high
29546	SuSE 10 Security Update : pam_ldap (ZYPP Patch Number 2196)	Nessus	SuSE Local Security Checks	high
27381	openSUSE 10 Security Update : pam_ldap (pam_ldap-2194)	Nessus	SuSE Local Security Checks	high
24586	Mandrake Linux Security Advisory : pam_ldap (MDKSA-2006:201)	Nessus	Mandriva Local Security Checks	high
23956	GLSA-200612-19 : pam_ldap: Authentication bypass vulnerability	Nessus	Gentoo Local Security Checks	high
23676	RHEL 4 : nss_ldap (RHSA-2006:0719)	Nessus	Red Hat Local Security Checks	high
22935	Debian DSA-1203-1 : libpam-ldap - programming error	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2006-5170

critical

Tenable Plugins

high

high

high

high

high

high

high

high

high