Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2006.0274 -- [Solaris] Security Vulnerability in LDAP2 Client Commands 20 April 2006 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: idsconfig Publisher: Sun Microsystems Operating System: Solaris 8,9 Impact: Access Privileged Data Access: Existing Account Original Bulletin: http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102113-1 - --------------------------BEGIN INCLUDED TEXT-------------------- Sun(sm) Alert Notification * Sun Alert ID: 102113 * Synopsis: Security Vulnerability in LDAP2 Client Commands * Category: Security, Availability * Product: Solaris 9 Operating System, Solaris 8 Operating System * BugIDs: 4701755, 4701811 * Avoidance: Patch, Workaround * State: Resolved * Date Released: 11-Apr-2006 * Date Closed: 11-Apr-2006 * Date Modified: 1. Impact Local unprivileged users may discover the Directory Server root Distinguished Name (rootDN) password if a privileged user uses the idsconfig(1M) command. The rootDN password may also be observed if a privileged user runs any of the following LDAP commands insecurely: * ldapadd(1) * ldapdelete(1) * ldapmodify(1) * ldapmodrdn(1) * ldapsearch(1) The rootDN password may then be used to add, change delete and search records within the Directory Server. Sun acknowledges, with thanks, Michael Gerdts for bringing these issues to our attention. 2. Contributing Factors These issues can occur in the following releases: SPARC Platform * Solaris 8 with patch 108993-14 through 108993-50 and without patch 108993-51 * Solaris 9 without patches 115677-02 and 121321-01 x86 Platform * Solaris 8 with patch 108994-14 through 108994-50 and without patch 108994-51 * Solaris 9 without patches 115678-02 and 121322-01 Note: Solaris 10 is not impacted by these issues. 3. Symptoms Directory server access logs may show unexpected connections made using the Directory Server rootDN which are not associated with the activities of trusted LDAP administrators. The Directory Server access log location is dependent on the Directory Server. The Sun Java System Directory Server 5.0 or greater may be queried using ldapsearch(1) for the location of the access log. For example: $ ldapsearch -D "cn=Directory Manager" \ > -b cn=config -s base cn=config nsslapd-accesslog Enter bind password: <enter Directory Manager (rootDN) password> version: 1 dn: cn=config nsslapd-accesslog: /usr/iplanet/ds5/slapd-slapd-dss-on81/logs/access $ The access log is a text file with entries for each access to the directory. So assuming a rootDN of "Directory Manager" the following would show access times, connection number and access method: # cd /usr/iplanet/ds5/slapd-slapd-dss-on81/logs # file access access: ascii text # grep -i 'dn="cn=Directory Manager"' access* | cut -d' ' -f1-3,8 [13/Dec/2005:13:41:09 +0000] conn=2123 method=128 [13/Dec/2005:13:43:00 +0000] conn=2126 method=128 [13/Dec/2005:13:43:41 +0000] conn=2127 method=128 You may then look in more detail at a particular connection using the connection number with grep(1). (The use of "cut" here is simply for aesthetics purposes.) For example: # grep conn=2126 access* | cut -d' ' -f 3- conn=2126 fd=31 slot=31 connection from 192.168.173.21 to 192.168.208.159 conn=2126 op=0 BIND dn="cn=Directory Manager" method=128 version=3 conn=2126 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory Mana ger" conn=2126 op=1 SRCH base="cn=config" scope=0 filter="(cn=config)" attrs="nsslapd-accesslog conn=2126 op=1 RESULT err=0 tag=101 nentries=1 etime=0 conn=2126 op=2 UNBIND conn=2126 op=2 fd=31 closed - U1 # From the output above we can deduce that a successful (op=0 RESULT err=0) remote access occurred (the "from" and "to" IP addresses differ) using a LDAPv3 connection and plain text password (method=128). The query returned with 1 result (nentries=1) For further information on the access log, refer to Chapter 8 "Access Logs and Connection Codes" of the Sun ONE Directory Server 5.2 Reference Manual: * http://docs.sun.com/source/816-6699-10/logfiles.html 4. Relief/Workaround To work around the described issues, have the LDAP Directory Server on a dedicated system where only trusted users have login access. Commands that use the directory Server RootDN, such as idsconfig(1M), should only be used locally on the dedicated secure LDAP server to prevent other users from observing the Directory Server RootDN and password. For the commands ldapdelete(1), ldapmodify(1) or ldapsearch(1) use the identically named commands delivered with the Directory Server. The location of these commands depends on which Directory Server you are using. On Solaris 9 the bundled iPlanet Directory Server is delivered in package "IPLTdsu" which by default installs the commands to "/usr/iplanet/ds5/shared/bin". The un-packaged version of the Sun Java System Directory Server version 5.2 downloaded from http://www.sun.com installs these binaries by default in the "/var/Sun/mps/shared/bin" directory. 5. Resolution These issues are addressed in the following releases: SPARC Platform: * Solaris 8 with patch 108993-51 or later * Solaris 9 with patches 115677-02 or later and 121321-01 or later x86 Platform * Solaris 8 with patch 108994-51 or later * Solaris 9 with patch 115678-02 or later and 121322-01 or later Note: Sun recommends that any existing scripts/programs written which use the ldapadd(1), ldapmodify(1), ldapmodrdn(1) or ldapsearch(1) commands with the -w option, should be changed to use the secure -j option instead. The secure -j option is now available with the patches listed above. Examples of how to use this are available in the patched "/usr/lib/ldap/idsconfig" file. This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBREbHZih9+71yA2DNAQJPMAQAnPWF6+MvqsrFKUlUd2MLYq689boPXMbp SlI3bupEM/CHb0udmtY0TxqCRX86eDBjECiyvsGlnye+ZYsTGBih1p+E6dVCrIUi PmeVFQIs9iY5tqSg72U370KXS+3vfq64J1zBTzK5+FrajmKxPTbQnOHL6W/zUvgn 8M0xa6AwcIw= =inW4 -----END PGP SIGNATURE-----