Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 355333 (CVE-2011-1024) - <net-nds/openldap-2.4.24: security bypass (CVE-2011-{1024,1025,1081})
Summary: <net-nds/openldap-2.4.24: security bypass (CVE-2011-{1024,1025,1081})
Status: RESOLVED FIXED
Alias: CVE-2011-1024
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/43331/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-17 15:50 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified: 2014-07-01 00:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-17 15:50:39 UTC
Two vulnerabilities have been reported in OpenLDAP, which can be exploited by malicious people to bypass certain security restrictions.

1) An error in the "back-ldap" component when a slave server forwards password failures to a master server can be exploited to successfully authenticate with an invalid password.

Successful exploitation of this vulnerability requires a master and slave configuration with the "ppolicy_forward_updates" option.

2) An error in the "back-ndb" component when handling authentication for a "rootdn" Distinguished Name (DN) can be exploited to perform arbitrary actions (e.g. searching or updating) without a valid password.

Successful exploitation of this vulnerability requires knowing the "rootdn" value as configured in the slapd.conf file.

The vulnerabilities are reported in versions prior to 2.4.24.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-02-18 02:21:01 UTC
ebuild added now.
Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-18 06:47:31 UTC
Thank you. Arches, please stabilize =net-nds/openldap-2.4.24
Comment 3 Alex Buell 2011-02-19 15:02:14 UTC
Tested on SPARC, all tests passed. Please stabilise. 
Comment 4 Jeroen Roovers gentoo-dev 2011-02-19 15:08:28 UTC
Thanks Alex. Stable for HPPA SPARC.
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2011-02-19 17:39:06 UTC
I think the two blocking bugs are not as important as the security fix that the new release brings. So amd64 done. The maintainer can fix the QA problems a bit later
Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-02-19 17:42:10 UTC
ppc/ppc64 stable
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-20 12:06:47 UTC
x86 stable, agreed minor QA issues shouldn't block security stabilization
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-02-26 16:41:41 UTC
CVE assignment per http://www.openwall.com/lists/oss-security/2011/02/25/13:

> http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6607
CVE-2011-1024 openldap forwarded bind failure messages cause success

> http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6661
CVE-2011-1025 openldap rootpw is not verified with slapd.conf
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-02-26 16:45:07 UTC
alpha/arm/ia64/s390/sh stable
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-02-26 16:46:20 UTC
Thanks, folks.

GLSA Vote: yes.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-03-02 07:00:11 UTC
Looks like http://www.openldap.org/its/index.cgi/Software Bugs?id=6768 was also fixed here. This is CVE-2011-1081 per http://www.openwall.com/lists/oss-security/2011/03/01/15.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 23:10:53 UTC
CVE-2011-1081 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1081):
  modrdn.c in slapd in OpenLDAP 2.4.x before 2.4.24 allows remote attackers to
  cause a denial of service (daemon crash) via a relative Distinguished Name
  (DN) modification request (aka MODRDN operation) that contains an empty
  value for the OldDN field.

CVE-2011-1025 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1025):
  bind.cpp in back-ndb in OpenLDAP 2.4.x before 2.4.24 does not require
  authentication for the root Distinguished Name (DN), which allows remote
  attackers to bypass intended access restrictions via an arbitrary password.

CVE-2011-1024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1024):
  chain.c in back-ldap in OpenLDAP 2.4.x before 2.4.24, when a master-slave
  configuration with a chain overlay and ppolicy_forward_updates (aka
  authentication-failure forwarding) is used, allows remote authenticated
  users to bypass external-program authentication by sending an invalid
  password to a slave server.
Comment 13 Agostino Sarubbo gentoo-dev 2011-09-26 09:52:26 UTC
@ldap-bugs

Please remove vulnerable version from the tree.
Comment 14 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2011-09-26 09:54:52 UTC
No. We still support the 2.3 series for users that cannot migrate to 2.4 (mainly if they are still using slurpd replication).
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:07:29 UTC
Vote: YES. Added to pending GLSA request.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-07-01 00:22:04 UTC
This issue was resolved and addressed in
 GLSA 201406-36 at http://security.gentoo.org/glsa/glsa-201406-36.xml
by GLSA coordinator Yury German (BlueKnight).