libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

The remote Oracle Linux 5 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2010-0198 advisory.

    [2.3.43-12]
    - updated spec file, so the compat-libs linking patch applies       correctly

    [2.3.43-11]
    - backported patch to handle null character in TLS       certificates (#560912)

    [2.3.43-10]
    - updated chase-referral patch to compile cleanly
    - updated init script (#562714)

    [2.3.43-9]
    - updated ldap.sysconf to include SLAPD_LDAP, SLAPD_LDAPS and       SLAPD_LDAPI options (#559520)

    [2.3.43-8]
    - fixed connection freeze when TLSVerifyClient = allow (#509230)

    [2.3.43-7]
    - fixed chasing referrals in libldap (#510522)

    [2.3.43-6]
    - fixed possible double free() in rwm overlay (#495628)
    - updated slapd man page and slapcat usage string (#468206)
    - updated default config for slapd - deleted syncprov module (#466937)
    - fixed migration tools autofs generated format (#460331)
    - fixed migration tools numbers detection in /etc/shadow (#113857)
    - fixed migration tools base ldif (#104585)

    [2.3.43-5]
    - implementation of limit adjustment before starting slapd (#527313)
    - init script no longer executes script in /tmp (#483356)
    - slapd not starting with ldap:/// every time (#481003)
    - delay between TERM and KILL when shutting down slapd (#452064)

    [2.3.43-4]
    - fixed compat libs linking (#503734)
    - activated lightweight dispatcher feature (#507276)
    - detection of timeout after failed result (#495701

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries :

  - Berkeley DB NSS module
  - cURL / libcURL
  - GnuTLS
  - Network Security Services (NSS) Library
  - OpenLDAP
  - OpenSSL
  - OpenSSL Kerberos
  - sudo

The remote host is affected by the vulnerability described in GLSA-201406-36 (OpenLDAP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in OpenLDAP. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker might employ a specially crafted certificate to       conduct man-in-the-middle attacks on SSL connections made using OpenLDAP,       bypass security restrictions or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Jan Lieskovsky reports :

OpenLDAP does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority

From Red Hat Security Advisory 2010:0543 :

Updated openldap packages that fix two security issues are now available for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools.

An uninitialized pointer use flaw was discovered in the way the slapd daemon handled modify relative distinguished name (modrdn) requests.
An authenticated user with privileges to perform modrdn operations could use this flaw to crash the slapd daemon via specially crafted modrdn requests. (CVE-2010-0211)

Red Hat would like to thank CERT-FI for responsibly reporting the CVE-2010-0211 flaw, who credit Ilkka Mattila and Tuomas Salomaki for the discovery of the issue.

A flaw was found in the way OpenLDAP handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick applications using OpenLDAP libraries into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack. (CVE-2009-3767)

Users of OpenLDAP should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the OpenLDAP daemons will be restarted automatically.

A flaw was found in the way OpenLDAP handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick applications using OpenLDAP libraries into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack. (CVE-2009-3767)

This update also fixes the following bugs :

  - the ldap init script did not provide a way to alter     system limits for the slapd daemon. A variable is now     available in '/etc/sysconfig/ldap' for this option.
    (BZ#527313)

  - applications that use the OpenLDAP libraries to contact     a Microsoft Active Directory server could crash when a     large number of network interfaces existed. This update     implements locks in the OpenLDAP library code to resolve     this issue. (BZ#510522)

  - when slapd was configured to allow client certificates,     approximately 90% of connections froze because of a     large CA certificate file and slapd not checking the     success of the SSL handshake. (BZ#509230)

  - the OpenLDAP server would freeze for unknown reasons     under high load. These packages add support for     accepting incoming connections by new threads, resolving     the issue. (BZ#507276)

  - the compat-openldap libraries did not list dependencies     on other libraries, causing programs that did not     specifically specify the libraries to fail. Detection of     the Application Binary Interface (ABI) in use on 64-bit     systems has been added with this update. (BZ#503734)

  - the OpenLDAP libraries caused applications to crash due     to an unprocessed network timeout. A timeval of -1 is     now passed when NULL is passed to LDAP. (BZ#495701)

  - slapd could crash on a server under heavy load when     using rwm overlay, caused by freeing non-allocated     memory during operation cleanup. (BZ#495628)

  - the ldap init script made a temporary script in '/tmp/'     and attempted to execute it. Problems arose when '/tmp/'     was mounted with the noexec option. The temporary script     is no longer created. (BZ#483356)

  - the ldap init script always started slapd listening on     ldap:/// even if instructed to listen only on ldaps:///.
    By correcting the init script, a user can now select     which ports slapd should listen on. (BZ#481003)

  - the slapd manual page did not mention the supported     options -V and -o. (BZ#468206)

  - slapd.conf had a commented-out option to load the     syncprov.la module. Once un-commented, slapd crashed at     start-up because the module had already been statically     linked to OpenLDAP. This update removes 'moduleload     syncprov.la' from slapd.conf, which resolves this issue.
    (BZ#466937)

  - the migrate_automount.pl script produced output that was     unsupported by autofs. This is corrected by updating the     output LDIF format for automount records. (BZ#460331)

  - the ldap init script uses the TERM signal followed by     the KILL signal when shutting down slapd. Minimal delay     between the two signals could cause the LDAP database to     become corrupted if it had not finished saving its     state. A delay between the signals has been added via     the 'STOP_DELAY' option in '/etc/sysconfig/ldap'.
    (BZ#452064)

  - the migrate_passwd.pl migration script had a problem     when number fields contained only a zero. Such fields     were considered to be empty, leading to the attribute     not being set in the LDIF output. The condition in     dump_shadow_attributes has been corrected to allow for     the attributes to contain only a zero. (BZ#113857)

  - the migrate_base.pl migration script did not handle     third level domains correctly, creating a second level     domain that could not be held by a database with a three     level base. This is now allowed by modifying the     migrate_base.pl script to generate only one domain.
    (BZ#104585)

a. Service Console update for NSS_db

   The service console package NSS_db is updated to version    nss_db-2.2-35.4.el5_5.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2010-0826 to this issue.

b. Service Console update for OpenLDAP

   The service console package OpenLDAP updated to version    2.3.43-12.el5.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2009-3767 to this issue.

c. Service Console update for cURL

   The service console packages for cURL updated to version    7.15.5-9.el5.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2010-0734 to this issue.

d. Service Console update for sudo

   The service console package sudo updated to version 1.7.2p1-7.el5_5.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2010-1646 to this issue.

e. Service Console update for OpenSSL, GnuTLS, NSS and NSPR

   Service Console updates for OpenSSL to version 097a-0.9.7a-9.el5_4.2    and version 0.9.8e-12.el5_4.6, GnuTLS to version 1.4.1-3.el5_4.8,    and NSS to version 3.12.6-1.3235.vmw and NSPR to version    4.8.4-1.3235.vmw. These four updates are bundled together due to    their mutual dependencies.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2009-3555, CVE-2009-2409, CVE-2009-3245    and CVE-2010-0433 to the issues addressed in this update.

Updated openldap packages that fix two security issues are now available for Red Hat Enterprise Linux 4.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools.

An uninitialized pointer use flaw was discovered in the way the slapd daemon handled modify relative distinguished name (modrdn) requests.
An authenticated user with privileges to perform modrdn operations could use this flaw to crash the slapd daemon via specially crafted modrdn requests. (CVE-2010-0211)

Red Hat would like to thank CERT-FI for responsibly reporting the CVE-2010-0211 flaw, who credit Ilkka Mattila and Tuomas Salomaki for the discovery of the issue.

A flaw was found in the way OpenLDAP handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick applications using OpenLDAP libraries into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack. (CVE-2009-3767)

Users of OpenLDAP should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the OpenLDAP daemons will be restarted automatically.

Fixed security issue CVE-2009-3767, F12 and 13 already contain the fix, since it has been fixed in openldap-2.4.18

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated openldap packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools.

A flaw was found in the way OpenLDAP handled NUL characters in the CommonName field of X.509 certificates. An attacker able to get a carefully-crafted certificate signed by a trusted Certificate Authority could trick applications using OpenLDAP libraries into accepting it by mistake, allowing the attacker to perform a man-in-the-middle attack. (CVE-2009-3767)

This update also fixes the following bugs :

* the ldap init script did not provide a way to alter system limits for the slapd daemon. A variable is now available in '/etc/sysconfig/ldap' for this option. (BZ#527313)

* applications that use the OpenLDAP libraries to contact a Microsoft Active Directory server could crash when a large number of network interfaces existed. This update implements locks in the OpenLDAP library code to resolve this issue. (BZ#510522)

* when slapd was configured to allow client certificates, approximately 90% of connections froze because of a large CA certificate file and slapd not checking the success of the SSL handshake. (BZ#509230)

* the OpenLDAP server would freeze for unknown reasons under high load. These packages add support for accepting incoming connections by new threads, resolving the issue. (BZ#507276)

* the compat-openldap libraries did not list dependencies on other libraries, causing programs that did not specifically specify the libraries to fail. Detection of the Application Binary Interface (ABI) in use on 64-bit systems has been added with this update. (BZ#503734)

* the OpenLDAP libraries caused applications to crash due to an unprocessed network timeout. A timeval of -1 is now passed when NULL is passed to LDAP. (BZ#495701)

* slapd could crash on a server under heavy load when using rwm overlay, caused by freeing non-allocated memory during operation cleanup. (BZ#495628)

* the ldap init script made a temporary script in '/tmp/' and attempted to execute it. Problems arose when '/tmp/' was mounted with the noexec option. The temporary script is no longer created.
(BZ#483356)

* the ldap init script always started slapd listening on ldap:/// even if instructed to listen only on ldaps:///. By correcting the init script, a user can now select which ports slapd should listen on.
(BZ#481003)

* the slapd manual page did not mention the supported options -V and
-o. (BZ#468206)

* slapd.conf had a commented-out option to load the syncprov.la module. Once un-commented, slapd crashed at start-up because the module had already been statically linked to OpenLDAP. This update removes 'moduleload syncprov.la' from slapd.conf, which resolves this issue. (BZ#466937)

* the migrate_automount.pl script produced output that was unsupported by autofs. This is corrected by updating the output LDIF format for automount records. (BZ#460331)

* the ldap init script uses the TERM signal followed by the KILL signal when shutting down slapd. Minimal delay between the two signals could cause the LDAP database to become corrupted if it had not finished saving its state. A delay between the signals has been added via the 'STOP_DELAY' option in '/etc/sysconfig/ldap'. (BZ#452064)

* the migrate_passwd.pl migration script had a problem when number fields contained only a zero. Such fields were considered to be empty, leading to the attribute not being set in the LDIF output. The condition in dump_shadow_attributes has been corrected to allow for the attributes to contain only a zero. (BZ#113857)

* the migrate_base.pl migration script did not handle third level domains correctly, creating a second level domain that could not be held by a database with a three level base. This is now allowed by modifying the migrate_base.pl script to generate only one domain.
(BZ#104585)

Users of OpenLDAP should upgrade to these updated packages, which resolve these issues.

It was discovered that OpenLDAP, a free implementation of the Lightweight Directory Access Protocol, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

A vulnerability was discovered and corrected in openldap :

libraries/libldap/tls_o.c in OpenLDAP, when OpenSSL is used, does not properly handle a '&#0;' (NUL) character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408 (CVE-2009-3767).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.

The updated packages have been patched to correct this issue.

It was discovered that OpenLDAP did not correctly handle SSL certificates with zero bytes in the Common Name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
181087	Oracle Linux 5 : openldap (ELSA-2010-0198)	Nessus	Oracle Linux Local Security Checks	medium
89742	VMware ESX Multiple Vulnerabilities (VMSA-2010-0015) (remote check)	Nessus	VMware ESX Local Security Checks	critical
76331	GLSA-201406-36 : OpenLDAP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
73552	FreeBSD : OpenLDAP -- incorrect handling of NULL in certificate Common Name (abad20bf-c1b4-11e3-a5ac-001b21614864)	Nessus	FreeBSD Local Security Checks	medium
68065	Oracle Linux 4 : openldap (ELSA-2010-0543)	Nessus	Oracle Linux Local Security Checks	medium
60771	Scientific Linux Security Update : openldap on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
49703	VMSA-2010-0015 : VMware ESX third-party updates for Service Console	Nessus	VMware ESX Local Security Checks	critical
47878	RHEL 4 : openldap (RHSA-2010:0543)	Nessus	Red Hat Local Security Checks	medium
47790	CentOS 4 : openldap (CESA-2010:0543)	Nessus	CentOS Local Security Checks	medium
47195	Fedora 11 : openldap-2.4.15-7.fc11 (2010-0752)	Nessus	Fedora Local Security Checks	medium
46284	RHEL 5 : openldap (RHSA-2010:0198)	Nessus	Red Hat Local Security Checks	medium
44808	Debian DSA-1943-1 : openldap openldap2.3 - insufficient input validation	Nessus	Debian Local Security Checks	medium
44321	Mandriva Linux Security Advisory : openldap (MDVSA-2010:026)	Nessus	Mandriva Local Security Checks	medium
42795	Ubuntu 6.06 LTS : openldap2.2 vulnerability (USN-858-1)	Nessus	Ubuntu Local Security Checks	medium

Detections

Analytics

CVE-2009-3767

medium

Tenable Plugins

medium

critical

medium

medium

medium

medium

critical

medium

medium

medium

medium

medium

medium

medium