SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#624713

IBM AIX "secldapclntd" daemon authentication vulnerability

Overview

A vulnerability in the secldapclntd daemon in IBM's AIX operating system could allow unauthorized remote users to modify accounts on the system.

I. Description

According to the IBM bulletin for this issue:

    "The secldapclntd daemon accepts requests from the LDAP load module, forwards requests to the LDAP server, and passes results from the server back to the LDAP loadmodule. The secldapclntd daemon uses an internet socket to communicate with the loadmodule. A remote user can craft a message to communicate with the daemon and gain unauthorized access to data or could potentially modify user accounts on the LDAP server."

This exposes a vulnerability in environments that use an LDAP (Lightweight Directory Access Protocol) database for user authentication.

II. Impact

A remote attacker can gain unauthorized access to data or modify user accounts on the system. It is unclear whether this vulnerability can be leveraged to gain root or other system-level access to the affected systems.

III. Solution

Apply a patch from the vendor


IBM has released patches to address this vulnerability; please see the vendor section of this document for further details.

Systems Affected

VendorStatusDate NotifiedDate Updated
IBMVulnerable24-Mar-2003

References


http://www-1.ibm.com/services/continuity/recover1.nsf/4699c03b46f2d4f68525678c006d45ae/85256a3400529a8685256cde0008ddde?OpenDocument
http://www-1.ibm.com/support/docview.wss?uid=isg1IY40157
http://securitytracker.com/alerts/2003/Mar/1006192.html
http://www.ietf.org/rfc/rfc3377.txt

Credit

This issue was discovered by Tom Lu of IBM's AIX Security Team.

This document was written by Chad R Dougherty.

Other Information

Date Public:2003-02-21
Date First Published:2003-04-02
Date Last Updated:2003-04-17
CERT Advisory: 
CVE-ID(s):CAN-2003-0119
NVD-ID(s):CAN-2003-0119
US-CERT Technical Alerts: 
Metric:15.82
Document Revision:7

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader