Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0274 -- [Solaris]
Security Vulnerability in LDAP2 Client Commands
20 April 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: idsconfig
Publisher: Sun Microsystems
Operating System: Solaris 8,9
Impact: Access Privileged Data
Access: Existing Account
Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102113-1
- --------------------------BEGIN INCLUDED TEXT--------------------
Sun(sm) Alert Notification
* Sun Alert ID: 102113
* Synopsis: Security Vulnerability in LDAP2 Client Commands
* Category: Security, Availability
* Product: Solaris 9 Operating System, Solaris 8 Operating System
* BugIDs: 4701755, 4701811
* Avoidance: Patch, Workaround
* State: Resolved
* Date Released: 11-Apr-2006
* Date Closed: 11-Apr-2006
* Date Modified:
1. Impact
Local unprivileged users may discover the Directory Server root
Distinguished Name (rootDN) password if a privileged user uses
the idsconfig(1M) command.
The rootDN password may also be observed if a privileged user runs any
of the following LDAP commands insecurely:
* ldapadd(1)
* ldapdelete(1)
* ldapmodify(1)
* ldapmodrdn(1)
* ldapsearch(1)
The rootDN password may then be used to add, change delete and search
records within the Directory Server.
Sun acknowledges, with thanks, Michael Gerdts for bringing these
issues to our attention.
2. Contributing Factors
These issues can occur in the following releases:
SPARC Platform
* Solaris 8 with patch 108993-14 through 108993-50 and without
patch 108993-51
* Solaris 9 without patches 115677-02 and 121321-01
x86 Platform
* Solaris 8 with patch 108994-14 through 108994-50 and without
patch 108994-51
* Solaris 9 without patches 115678-02 and 121322-01
Note: Solaris 10 is not impacted by these issues.
3. Symptoms
Directory server access logs may show unexpected connections made
using the Directory Server rootDN which are not associated with the
activities of trusted LDAP administrators.
The Directory Server access log location is dependent on the Directory
Server. The Sun Java System Directory Server 5.0 or greater may be
queried using ldapsearch(1) for the location of the access log.
For example:
$ ldapsearch -D "cn=Directory Manager" \
> -b cn=config -s base cn=config nsslapd-accesslog
Enter bind password: <enter Directory Manager (rootDN) password>
version: 1
dn: cn=config
nsslapd-accesslog: /usr/iplanet/ds5/slapd-slapd-dss-on81/logs/access
$
The access log is a text file with entries for each access to the
directory. So assuming a rootDN of "Directory Manager" the following
would show access times, connection number and access method:
# cd /usr/iplanet/ds5/slapd-slapd-dss-on81/logs
# file access
access: ascii text
# grep -i 'dn="cn=Directory Manager"' access* | cut -d' ' -f1-3,8
[13/Dec/2005:13:41:09 +0000] conn=2123 method=128
[13/Dec/2005:13:43:00 +0000] conn=2126 method=128
[13/Dec/2005:13:43:41 +0000] conn=2127 method=128
You may then look in more detail at a particular connection using the
connection number with grep(1). (The use of "cut" here is simply for
aesthetics purposes.)
For example:
# grep conn=2126 access* | cut -d' ' -f 3-
conn=2126 fd=31 slot=31 connection from 192.168.173.21 to 192.168.208.159
conn=2126 op=0 BIND dn="cn=Directory Manager" method=128 version=3
conn=2126 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory Mana
ger"
conn=2126 op=1 SRCH base="cn=config" scope=0 filter="(cn=config)"
attrs="nsslapd-accesslog
conn=2126 op=1 RESULT err=0 tag=101 nentries=1 etime=0
conn=2126 op=2 UNBIND
conn=2126 op=2 fd=31 closed - U1
#
From the output above we can deduce that a successful (op=0 RESULT
err=0) remote access occurred (the "from" and "to" IP addresses
differ) using a LDAPv3 connection and plain text password
(method=128). The query returned with 1 result (nentries=1)
For further information on the access log, refer to Chapter 8 "Access
Logs and Connection Codes" of the Sun ONE Directory Server 5.2
Reference Manual:
* http://docs.sun.com/source/816-6699-10/logfiles.html
4. Relief/Workaround
To work around the described issues, have the LDAP Directory Server on
a dedicated system where only trusted users have login access.
Commands that use the directory Server RootDN, such as idsconfig(1M),
should only be used locally on the dedicated secure LDAP server to
prevent other users from observing the Directory Server RootDN and
password.
For the commands ldapdelete(1), ldapmodify(1) or ldapsearch(1) use the
identically named commands delivered with the Directory Server. The
location of these commands depends on which Directory Server you are
using.
On Solaris 9 the bundled iPlanet Directory Server is delivered in
package "IPLTdsu" which by default installs the commands to
"/usr/iplanet/ds5/shared/bin".
The un-packaged version of the Sun Java System Directory Server
version 5.2 downloaded from http://www.sun.com installs these
binaries by default in the "/var/Sun/mps/shared/bin" directory.
5. Resolution
These issues are addressed in the following releases:
SPARC Platform:
* Solaris 8 with patch 108993-51 or later
* Solaris 9 with patches 115677-02 or later and 121321-01 or
later
x86 Platform
* Solaris 8 with patch 108994-51 or later
* Solaris 9 with patch 115678-02 or later and 121322-01 or later
Note: Sun recommends that any existing scripts/programs written which
use the ldapadd(1), ldapmodify(1), ldapmodrdn(1) or ldapsearch(1)
commands with the -w option, should be changed to use the secure -j
option instead.
The secure -j option is now available with the patches listed above.
Examples of how to use this are available in the patched
"/usr/lib/ldap/idsconfig" file.
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBREbHZih9+71yA2DNAQJPMAQAnPWF6+MvqsrFKUlUd2MLYq689boPXMbp
SlI3bupEM/CHb0udmtY0TxqCRX86eDBjECiyvsGlnye+ZYsTGBih1p+E6dVCrIUi
PmeVFQIs9iY5tqSg72U370KXS+3vfq64J1zBTzK5+FrajmKxPTbQnOHL6W/zUvgn
8M0xa6AwcIw=
=inW4
-----END PGP SIGNATURE-----