search menu icon-carat-right cmu-wordmark

CERT Coordination Center

pam_ldap authentication bypass vulnerability

Vulnerability Note VU#778916

Original Release Date: 2005-08-24 | Last Revised: 2005-11-02

Overview

An error in the pam_ldap password policy control may allow a remote attacker to gain access to a system.

Description

pam_ldap provides LDAP authentication services for UNIX-based systems. A vulnerability in pam_ldap may allow a remote attacker to bypass the authentication mechanism. If a pam_ldap client attempts to authenticate against an LDAP server that omits the optional error value from the PasswordPolicyResponseValue, the authentication attempt will always succeed.

Note that this vulnerability affects all versions of pam_ldap since version pam_ldap-169. However, if the underlying LDAP client library does not support LDAP version 3 controls, then this vulnerability is not present.

Impact

An unauthenticated, remote attacker may be able to bypass the pam_ldap authentication mechanism and gain access to a system, possibly with elevated privileges.

Solution

Upgrade pam_ldap

This vulnerability was corrected in pam_ldap-180.

Vendor Information

778916
 
Affected   Unknown   Unaffected

Debian Linux

Notified:  August 19, 2005 Updated:  August 25, 2005

Status

  Vulnerable

Vendor Statement

Debian GNU/Linux is vulnerable to this problem. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 178-1sarge1. For the unstable distribution (sid) this problem has been fixed in version 178-1sarge1. This is DSA 785-1.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

PADL

Notified:  August 16, 2005 Updated:  August 25, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

From padl-180 changelog:

"when handling new password policy control, only fall through to account management module if a policy error was returned (CERT VU#778916)."

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Notified:  August 19, 2005 Updated:  November 02, 2005

Status

  Vulnerable

Vendor Statement

This issue did not affect Red Hat Enterprise Linux 2.1, or 3.

Updated nss_ldap packages for Red Hat Enterprise Linux 4 to correct this
issue are available at the URL below and by using the Red Hat Network
'up2date' tool.

http://rhn.redhat.com/errata/CVE-2005-2641.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Computer, Inc.

Notified:  August 19, 2005 Updated:  October 10, 2005

Status

  Not Vulnerable

Vendor Statement

Mac OS X does not ship with pam_ldap.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company

Notified:  August 19, 2005 Updated:  August 31, 2005

Status

  Not Vulnerable

Vendor Statement

HP-UX, HP Tru64 and HP OpenVMS are not vulnerable to this report.

To report potential security vulnerabilities in HP software, send an E-mail message to: security-alert@hp.com

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi

Updated:  September 15, 2005

Status

  Not Vulnerable

Vendor Statement

Hitachi Directory Server is NOT Vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation

Notified:  August 19, 2005 Updated:  September 28, 2005

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  August 19, 2005 Updated:  September 06, 2005

Status

  Not Vulnerable

Vendor Statement

Openwall GNU/*/Linux is not vulnerable. We do not package pam_ldap.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Oracle Corporation

Notified:  August 19, 2005 Updated:  September 06, 2005

Status

  Not Vulnerable

Vendor Statement

Oracle does not ship pam_ldap with our OID product.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux

Notified:  August 19, 2005 Updated:  August 22, 2005

Status

  Not Vulnerable

Vendor Statement

SUSE products are not vulnerable to the pam_ldap vulnerability described in VU#778916.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc.

Notified:  August 19, 2005 Updated:  September 02, 2005

Status

  Not Vulnerable

Vendor Statement

Sun can confirm that Solaris is not affected by this issue. Solaris does not ship the PADL pam_ldap module or use any of the PADL code in the Solaris shipped pam_ldap(5) PAM module. Sun's Linux OS, which is part of the Java Desktop System (JDS) for Linux does not ship pam_ldap.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Computer Associates

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries)

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Immunix Communications, Inc.

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc.

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Lotus Software

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mandriva, Inc.

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mandriva, Inc.

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mirapoint, Inc.

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc.

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Netscape Communications Corporation

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc.

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OctetString, Inc.

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenLDAP

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QUALCOMM Incorporated

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sequent Computer Systems, Inc.

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group (SCO Linux)

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The Teamware Group

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux

Notified:  August 19, 2005 Updated:  August 19, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was reported by Luke Howard of PADL

This document was written by Jeff Gennari.

Other Information

CVE IDs: CVE-2005-2641
Severity Metric: 8.15
Date Public: 2005-08-24
Date First Published: 2005-08-24
Date Last Updated: 2005-11-02 17:47 UTC
Document Revision: 54

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.