July 17, 2001

CERT advisory for LDAP

Author: JT Smith

CERT has issued an advisory covering several implementations of the Lightweight Directory Access Protocol (LDAP). Some implementations of the protocol contain vulnerabilities that could allow denial-of-service attacks and other nasty activity. Read on for the full advisory.
                 Date: Tue, 17 Jul 2001 00:41:46 -0400 (EDT)
                 From: CERT Advisory 
                 Organization: CERT(R) Coordination Center - +1 412-268-7090
                 Subject: CERT Advisory CA-2001-18


                 -----BEGIN PGP SIGNED MESSAGE-----

                 CERT Advisory CA-2001-18 Multiple Vulnerabilities in Several
                 Implementations of the Lightweight Directory Access Protocol (LDAP)

                    Original release date: July 16, 2001
                    Last revised: --
                    Source: CERT/CC

                    A complete revision history can be found at the end of this file.

                 Systems Affected

                      * iPlanet Directory Server, version 5.0 Beta and versions up to and
                        including 4.13
                      * Certain versions of IBM SecureWay running under Solaris and
                        Windows 2000
                      * Lotus Domino R5 Servers (Enterprise, Application, and Mail), prior
                        to 5.0.7a
                      * Teamware Office for Windows NT and Solaris, prior to version
                        5.3ed1
                      * Qualcomm Eudora WorldMail for Windows NT, version 2
                      * Microsoft Exchange 5.5 LDAP Service (Hotfix pending)
                      * Network Associates PGP Keyserver 7.0, prior to Hotfix 2
                      * Oracle 8i Enterprise Edition
                      * OpenLDAP, 1.x prior to 1.2.12 and 2.x prior to 2.0.8

                 Overview

                    Several implementations of the Lightweight Directory Access Protocol
                    (LDAP) protocol contain vulnerabilities that may allow
                    denial-of-service attacks, unauthorized privileged access, or both. If
                    your site uses any of the products listed in this advisory, the CERT/CC
                    encourages you to follow the advice provided in the Solution section
                    below.

                 I. Description

                    The LDAP protocol provides access to directories that support the X.500
                    directory semantics without requiring the additional resources of
                    X.500. A directory is a collection of information such as names,
                    addresses, access control lists, and cryptographic certificates.
                    Because LDAP servers are widely used in maintaining corporate contact
                    information and providing authentication services, any threats to their
                    integrity or stability can jeopardize the security of an organization.

                    To test the security of protocols like LDAP, the PROTOS project
                    presents a server with a wide variety of sample packets containing
                    unexpected values or illegally formatted data. This approach may reveal
                    vulnerabilities that would not manifest themselves under normal
                    conditions. As a member of the PROTOS project consortium, the Oulu
                    University Secure Programming Group (OUSPG) co-developed and
                    subsequently used the PROTOS LDAPv3 test suite to study several
                    implementations of the LDAP protocol.

                    The PROTOS LDAPv3 test suite is divided into two main sections: the
                    "Encoding" section, which tests an LDAP server's response to packets
                    that violate the Basic Encoding Rules (BER), and the "Application"
                    section, which tests an LDAP server's response to packets that trigger
                    LDAP-specific application anomalies. Each section is further divided
                    into "groups" that collectively exercise a particular encoding or
                    application feature. Finally, each group contains one or more "test
                    cases," which represent the network packets that are used to test
                    individual exceptional conditions.

                    By applying the PROTOS LDAPv3 test suite to a variety of popular
                    LDAP-enabled products, the OUSPG revealed the following
                    vulnerabilities:

                    VU#276944 - iPlanet Directory Server contains multiple vulnerabilities
                    in LDAP handling code
                     
                        The iPlanet Directory Server contains multiple vulnerabilities in
                        the code that processes LDAP requests.
                     
                        In the encoding section of the test suite, this product had an
                        indeterminate number of failures in the group that tests invalid
                        BER length of length fields.
                     
                        In the application section of the test suite, this product failed
                        four groups and had inconclusive results for an additional five
                        groups. The four failed groups indicate the presence of buffer
                        overflow vulnerabilities. For the inconclusive groups, the product
                        exhibited suspicious behavior while testing for format string
                        vulnerabilities.
                     
                    VU#505564 - IBM SecureWay Directory is vulnerable to denial-of-service
                    attacks via LDAP handling code
                     
                        The IBM SecureWay Directory server contains one or more
                        vulnerabilities in the code that processes LDAP requests. These
                        vulnerabilities were discovered independently by IBM using the
                        PROTOS LDAPv3 test suite. The CERT/CC is not currently aware of the
                        nature of these vulnerabilities.
                     
                    VU#583184 - Lotus Domino R5 Server Family contains multiple
                    vulnerabilities in LDAP handling code
                     
                        The Lotus Domino R5 Server Family (including the Enterprise,
                        Application, and Mail servers) contains multiple vulnerabilities in
                        the code that processes LDAP requests.
                     
                        In the encoding section of the test suite, this product failed 1 of
                        77 groups. The failed group tests a server's response to
                        miscellaneous packets with semi-valid BER encodings.
                     
                        In the application section of the test suite, this product failed
                        23 of 77 groups. These results suggest that both buffer overflow
                        and format string vulnerabilities are likely to be present in a
                        variety of application components.
                     
                    VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP
                    handling code
                     
                        The Teamware Office suite is packaged with a combination X.500/LDAP
                        server that provides directory services. Multiple versions of the
                        Office product contain vulnerabilities that cause the LDAP server
                        to crash in response to traffic sent by the PROTOS LDAPv3 test
                        suite.
                     
                        In the encoding section of the test suite, this product failed 9 of
                        16 groups involving invalid encodings for several BER object types.
                     
                        In the application section of the test suite, this product failed 4
                        of 32 groups. The remaining 45 groups were not exercised during the
                        test runs. The four failed groups indicate the presence of buffer
                        overflow vulnerabilities.
                     
                    VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail
                    Server LDAP handling code
                     
                        While investigating the vulnerabilities reported by OUSPG, it was
                        brought to our attention that the Eudora WorldMail Server may
                        contain vulnerabilities that can be triggered via the PROTOS test
                        suite. The CERT/CC has reported this possibility to Qualcomm and an
                        investigation is pending.
                     
                    VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to
                    denial-of-service attacks
                     
                        The Microsoft Exchange 5.5 LDAP Service contains a vulnerability
                        that causes the LDAP server to freeze in response to malformed LDAP
                        requests generated by the PROTOS test suite. This only affects the
                        LDAP service; all other Exchange services, including mail handling,
                        continue normally.
                     
                        Although this product was not included in OUSPG's initial testing,
                        subsequent informal testing revealed that the LDAP service of the
                        Microsoft Exchange 5.5 became unresponsive while processing test
                        cases containing exceptional BER encodings for the LDAP filter type
                        field.
                     
                    VU#765256 - Network Associates PGP Keyserver contains multiple
                    vulnerabilities in LDAP handling code
                     
                        The Network Associates PGP Keyserver 7.0 contains multiple
                        vulnerabilities in the code that processes LDAP requests.
                     
                        In the encoding section of the test suite, this product failed 12
                        of 16 groups.
                     
                        In the application section of the test suite, this product failed 1
                        of 77 groups. The failed group focused on out-of-bounds integer
                        values for the messageID parameter. Due to a peculiarity of this
                        test group, this failure may actually represent an encoding
                        failure.
                     
                    VU#869184 - Oracle 8i Enterprise Edition contains multiple
                    vulnerabilities in LDAP handling code
                     
                        The Oracle 8i Enterprise Edition server contains multiple
                        vulnerabilities in the code used to process LDAP requests.
                     
                        In the encoding section of the test suite, this product failed an
                        indeterminate number of test cases in the group that tests a
                        server's response to invalid encodings of BER OBJECT-IDENTIFIER
                        values.
                     
                        In the application section of the test suite, this product failed
                        46 of 77 groups. These results suggest that both buffer overflow
                        and format string vulnerabilities are likely to be present in a
                        variety of application components.
                     
                    VU#935800 - Multiple versions of OpenLDAP are vulnerable to
                    denial-of-service attacks

                        There are multiple vulnerabilities in the OpenLDAP implementations
                        of the LDAP protocol. These vulnerabilities exist in the code that
                        translates network datagrams into application-specific information.
                     
                        In the encoding section of the test suite, this product failed the
                        group that tests the handling of invalid BER length of length
                        fields.
                     
                        In the application section of the test suite, this product passed
                        all 6685 test cases.
                     
                 Additional Information

                    For the most up-to-date information regarding these vulnerabilities,
                    please visit the CERT/CC Vulnerability Notes Database at:

                           http://www.kb.cert.org/vuls/

                    Please note that the test results summarized above should not be
                    interpreted as a statement of overall software quality. However, the
                    CERT/CC does believe that these results are useful in describing the
                    characteristics of these vulnerabilities. For example, an application
                    that fails multiple groups indicates that problems exist in different
                    areas of the code, rather than in a specific code segment.

                 II. Impact

                    VU#276944 - iPlanet Directory Server contains multiple vulnerabilities
                    in LDAP handling code

                        One or more of these vulnerabilities allow a remote attacker to
                        execute arbitrary code with the privileges of the Directory Server.
                        The server typically runs with system privileges. At least one of
                        these vulnerabilities has been successfully exploited in a
                        laboratory environment under Windows NT 4.0, but they may affect
                        other platforms as well.

                    VU#505564 - IBM SecureWay Directory is vulnerable to denial-of-service
                    attacks via LDAP handling code

                        These vulnerabilities allow a remote attacker to crash affected
                        SecureWay Directory servers, resulting in a denial-of-service
                        condition. It is not known at this time whether these
                        vulnerabilities will allow a remote attacker to execute arbitrary
                        code. These vulnerabilities exist on the Solaris and Windows 2000
                        platforms but are not present under Windows NT, AIX, and AIX with
                        SSL.

                    VU#583184 - Lotus Domino R5 Server Family contains multiple
                    vulnerabilities in LDAP handling code

                        One or more of these vulnerabilities allow a remote attacker to
                        execute arbitrary code with the privileges of the Domino
                        server. The server typically runs with system privileges. At least
                        one of these vulnerabilities has been successfully exploited in a
                        laboratory environment.

                    VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP
                    handling code

                        These vulnerabilities allow a remote attacker to crash affected
                        Teamware LDAP servers, resulting in a denial-of-service condition.
                        They may also allow a remote attacker to execute arbitrary code
                        with the privileges of the Teamware server. The server typically
                        runs with system privileges.

                    VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail
                    Server LDAP handling code

                        The CERT/CC has not yet determined the impact of this vulnerability. 

                    VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to
                    denial-of-service attacks

                        This vulnerability allows a remote attacker to crash the LDAP
                        component of vulnerable Exchange 5.5 servers, resulting in a
                        denial-of-service condition within the LDAP component.

                    VU#765256 - Network Associates PGP Keyserver contains multiple
                    vulnerabilities in LDAP handling code

                        One or more of these vulnerabilities allow a remote attacker to
                        execute arbitrary code with the privileges of the Keyserver. The
                        server typically runs with system privileges. At least one of these
                        vulnerabilities has been successfully exploited in a laboratory
                        environment.

                    VU#869184 - Oracle 8i Enterprise Edition contains multiple
                    vulnerabilities in LDAP handling code

                        One or more of these vulnerabilities allow a remote attacker to
                        execute arbitrary code with the privileges of the Oracle
                        server. The server typically runs with system privileges. At least
                        one of these vulnerabilities has been successfully exploited in a
                        laboratory environment.

                    VU#935800 - Multiple versions of OpenLDAP are vulnerable to
                    denial-of-service attacks

                        These vulnerabilities allow a remote attacker to crash affected
                        OpenLDAP servers, resulting in a denial-of-service condition.

                 III. Solution

                 Apply a patch from your vendor

                    Appendix A contains information provided by vendors for this advisory.
                    Please consult this appendix to determine if you need to contact your
                    vendor directly.

                 Block access to directory services at network perimeter

                    As a temporary measure, it is possible to limit the scope of these
                    vulnerabilities by blocking access to directory services at the
                    network perimeter. Please note that this workaround does not protect
                    vulnerable products from internal attacks.

                        ldap    389/tcp     # Lightweight Directory Access Protocol
                        ldap    389/udp     # Lightweight Directory Access Protocol
                        ldaps   636/tcp     # ldap protocol over TLS/SSL (was sldap)
                        ldaps   636/udp     # ldap protocol over TLS/SSL (was sldap)

                 Appendix A. - Vendor Information

                    This appendix contains information provided by vendors for this
                    advisory. As vendors report new information to the CERT/CC, we will
                    update this section and note the changes in our revision history. If a
                    particular vendor is not listed below, we have not received their
                    comments.

                 IBM Corporation

                    IBM and Tivoli are currently investigating the details of the
                    vulnerabilities in the various versions of the SecureWay product
                    family.

                    Fixes are being implemented as these details become known.

                    Fixes will be posted to the download sites (IBM or Tivoli) for the
                    affected platform. See http://www-1.ibm.com/support under "Server
                    Downloads" or "Software Downloads" for links to the fix distribution
                    sites.

                 iPlanet E-Commerce Solutions

                    [CERT/CC Addendum: These vulnerabilities were originally discovered in
                    Directory Server 5.0 Beta and were later found to exist in versions up
                    to and including version 4.13. These vulnerabilities have been
                    addressed in the released version of Directory Server 5.0.]

                 Lotus Development Corporation

                    Lotus reproduced the problem as reported by OUSPG and documented it in
                    SPR#DWUU4W6NC8.

                    Lotus considers security issues as top priority, so we acted quickly
                    to resolve the problem in a maintenance update to Domino. It was
                    addressed in Domino R5.0.7a, which was released on May 18th, 2001.
                    This release can be downloaded from Notes.net at

                           http://www.notes.net/qmrdown.nsf/qmrwelcome.

                    The fix is documented in the fix list at

                           http://www.notes.net/r5fixlist.nsf/Search!SearchView&Query=DWUU
                           4W6NC8

                 Microsoft Corporation

                    Microsoft is developing a hotfix for this issue which will be
                    available shortly.

                    Customers can obtain this hotfix by contacting Product Support
                    Services at no charge and asking for Q303448 and Q303450. Information
                    on contacting Microsoft Product Support Services can be found at

                           http://www.microsoft.com/support/

                 Network Associates, Inc.

                    Network Associates has resolved these vulnerabilities in Hotfix 2 for
                    both Solaris and Windows NT. All Network Associates Enterprise Support
                    customers have been notified and have been provided access to the
                    Hotfix.

                    This Hotfix can be downloaded at

                           http://www.pgp.com/downloads/default.asp

                 The OpenLDAP Project

                    [CERT/CC Addendum: To address these vulnerabilities, the OpenLDAP
                    Project has released OpenLDAP 1.2.12 for use in LDAPv2 environments
                    and OpenLDAP 2.0.8 for use in LDAPv3 environments. The CERT/CC
                    recommends that users of OpenLDAP contact their software vendor or
                    obtain the latest version, available at
                    http://www.openLDAP.org/software/download/.]

                 QUALCOMM Incorporated

                    The LDAP service in WorldMail may be vulnerable to this exploit, but
                    our tests so far have been inconclusive. At this time, we strongly
                    urge all WorldMail customers to ensure that the LDAP service is not
                    accessible from outside their organization nor by untrusted users.

                 The Teamware Group

                    An issue has been discovered with Teamware Office Enterprise Directory
                    (LDAP server) that shows a abnormal termination or loop when the LDAP
                    server encounters a maliciously or incorrectly created LDAP request
                    data.

                    If the maliciously formatted LDAP request data is requested, the LDAP
                    server may excessively copy the LDAP request data to the stack area.

                    This overflow is likely to cause execution of malicious code. In other
                    case, the LDAP server may go into abnormal termination or infinite
                    loop.

                    [CERT/CC Addendum: Teamware has provided additional documentation of
                    these issues in their "Teamware Solution Database," available at
                    http://support.teamw.com/Online/s_database1.shtml. Registered users
                    can find information on these vulnerabilities by searching for
                    document #010703-0000 for Windows NT or document #010703-0001 for
                    Solaris.]

                 Appendix B. - Supplemental Information

                 The PROTOS Project

                    The PROTOS project is a research partnership between the University of
                    Oulu and VTT Electronics, an independent research organization owned
                    by the Finnish government. The project studies methods by which

                    protocol implementations can be tested for information security
                    defects.

                    Although the vulnerabilities discussed in this advisory relate
                    specifically to the LDAP protocol, the methodology used to research,
                    develop, and deploy the PROTOS LDAPv3 test suite can be applied to any
                    communications protocol.

                    For more information on the PROTOS project and its collection of test
                    suites, please visit

                           http://www.ee.oulu.fi/research/ouspg/protos/

                 ASN.1 and the BER

                    Abstract Syntax Notation One (ASN.1) is a flexible notation that
                    allows one to define a variety data types. The Basic Encoding Rules
                    (BER) describe how to represent or encode the values of each ASN.1
                    type as a string of octets. This allow programmers to encode and
                    decode data for platform-independent transmission over a network.

                 References

                    The following is a list of URLs referenced in this advisory as well as
                    other useful sources of information:

                           http://www.cert.org/advisories/CA-2001-18.html
                           http://www.ietf.org/rfc/rfc2116.txt
                           http://www.ietf.org/rfc/rfc2251.txt
                           http://www.ietf.org/rfc/rfc2252.txt
                           http://www.ietf.org/rfc/rfc2253.txt
                           http://www.ietf.org/rfc/rfc2254.txt
                           http://www.ietf.org/rfc/rfc2255.txt
                           http://www.ietf.org/rfc/rfc2256.txt
                           http://www.ee.oulu.fi/research/ouspg/protos/
                           http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/
                           http://www.kb.cert.org/vuls/
                           http://www.kb.cert.org/vuls/id/276944
                           http://www.kb.cert.org/vuls/id/505564
                           http://www.kb.cert.org/vuls/id/583184
                           http://www.kb.cert.org/vuls/id/688960
                           http://www.kb.cert.org/vuls/id/717380
                           http://www.kb.cert.org/vuls/id/763400
                           http://www.kb.cert.org/vuls/id/765256
                           http://www.kb.cert.org/vuls/id/869184
                           http://www.kb.cert.org/vuls/id/935800
                      _______________________________________________________________

                    The CERT Coordination Center thanks the Oulu University Secure
                    Programming Group for reporting these vulnerabilities to us, for their
                    detailed technical analyses, and for their assistance in preparing
                    this advisory. We also thank the many vendors who provided feedback
                    regarding their respective vulnerabilities.
                      _______________________________________________________________

                    Authors: Jeffrey P. Lanza and Cory F. Cohen. Feedback on this advisory
                    is greatly appreciated.
                    ____________________________________________________________________

                    This document is available from:
                    http://www.cert.org/advisories/CA-2001-18.html
                    ____________________________________________________________________

                 CERT/CC Contact Information

                    Email: cert@cert.org
                           Phone: +1 412-268-7090 (24-hour hotline)
                           Fax: +1 412-268-6989
                           Postal address:
                           CERT Coordination Center
                           Software Engineering Institute
                           Carnegie Mellon University
                           Pittsburgh PA 15213-3890
                           U.S.A.

                    CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
                    Monday through Friday; they are on call for emergencies during other
                    hours, on U.S. holidays, and on weekends.

                 Using encryption

                    We strongly urge you to encrypt sensitive information sent by email.
                    Our public PGP key is available from

                    http://www.cert.org/CERT_PGP.key

                    If you prefer to use DES, please call the CERT hotline for more
                    information.

                 Getting security information

                    CERT publications and other security information are available from

                    our web site

                    http://www.cert.org/

                    To subscribe to the CERT mailing list for advisories and bulletins,
                    send email to majordomo@cert.org. Please include in the body of your
                    message

                    subscribe cert-advisory

                    * "CERT" and "CERT Coordination Center" are registered in the U.S.
                    Patent and Trademark Office.
                    ____________________________________________________________________

                    NO WARRANTY
                    Any material furnished by Carnegie Mellon University and the Software
                    Engineering Institute is furnished on an "as is" basis. Carnegie
                    Mellon University makes no warranties of any kind, either expressed or
                    implied as to any matter including, but not limited to, warranty of
                    fitness for a particular purpose or merchantability, exclusivity or
                    results obtained from use of the material. Carnegie Mellon University
                    does not make any warranty of any kind with respect to freedom from
                    patent, trademark, or copyright infringement.
                      _______________________________________________________________

                    Conditions for use, disclaimers, and sponsorship information

                    Copyright 2001 Carnegie Mellon University.

                    Revision History
                 Jul 16, 2001: Initial release

Category:

  • Linux
Click Here!