pam_ldap authentication bypass vulnerability

Overview

An error in the pam_ldap password policy control may allow a remote attacker to gain access to a system.

Description

pam_ldap provides LDAP authentication services for UNIX-based systems. A vulnerability in pam_ldap may allow a remote attacker to bypass the authentication mechanism. If a pam_ldap client attempts to authenticate against an LDAP server that omits the optional error value from the PasswordPolicyResponseValue, the authentication attempt will always succeed.

Note that this vulnerability affects all versions of pam_ldap since version pam_ldap-169. However, if the underlying LDAP client library does not support LDAP version 3 controls, then this vulnerability is not present.

---

Impact

An unauthenticated, remote attacker may be able to bypass the pam_ldap authentication mechanism and gain access to a system, possibly with elevated privileges.

---

Solution

Upgrade pam_ldap

This vulnerability was corrected in pam_ldap-180.

---

Vendor Information

778916

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Debian Linux __ Affected

Notified: August 19, 2005 Updated: August 25, 2005

Status

Affected

Vendor Statement

Debian GNU/Linux is vulnerable to this problem. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 178-1sarge1. For the unstable distribution (sid) this problem has been fixed in version 178-1sarge1. This is DSA 785-1.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

PADL __ Affected

Notified: August 16, 2005 Updated: August 25, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

From padl-180 changelog:

“when handling new password policy control, only fall through to account management module if a policy error was returned (CERT VU#778916).”

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23778916 Feedback>).

Red Hat, Inc. __ Affected

Notified: August 19, 2005 Updated: November 02, 2005

Status

Affected

Vendor Statement

This issue did not affect Red Hat Enterprise Linux 2.1, or 3.

Updated nss_ldap packages for Red Hat Enterprise Linux 4 to correct this
issue are available at the URL below and by using the Red Hat Network
‘up2date’ tool.

<http://rhn.redhat.com/errata/CVE-2005-2641.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Computer, Inc. __ Not Affected

Notified: August 19, 2005 Updated: October 10, 2005

Status

Not Affected

Vendor Statement

Mac OS X does not ship with pam_ldap.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company __ Not Affected

Notified: August 19, 2005 Updated: August 31, 2005

Status

Not Affected

Vendor Statement

HP-UX, HP Tru64 and HP OpenVMS are not vulnerable to this report.

To report potential security vulnerabilities in HP software, send an E-mail message to: [email protected]

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi __ Not Affected

Updated: September 15, 2005

Status

Not Affected

Vendor Statement

Hitachi Directory Server is NOT Vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation Not Affected

Notified: August 19, 2005 Updated: September 28, 2005

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux __ Not Affected

Notified: August 19, 2005 Updated: September 06, 2005

Status

Not Affected

Vendor Statement

Openwall GNU/*/Linux is not vulnerable. We do not package pam_ldap.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Oracle Corporation __ Not Affected

Notified: August 19, 2005 Updated: September 06, 2005

Status

Not Affected

Vendor Statement

Oracle does not ship pam_ldap with our OID product.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux __ Not Affected

Notified: August 19, 2005 Updated: August 22, 2005

Status

Not Affected

Vendor Statement

SUSE products are not vulnerable to the pam_ldap vulnerability described in VU#778916.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc. __ Not Affected

Notified: August 19, 2005 Updated: September 02, 2005

Status

Not Affected

Vendor Statement

Sun can confirm that Solaris is not affected by this issue. Solaris does not ship the PADL pam_ldap module or use any of the PADL code in the Solaris shipped pam_ldap(5) PAM module. Sun’s Linux OS, which is part of the Java Desktop System (JDS) for Linux does not ship pam_ldap.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Computer Associates Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Immunix Communications, Inc. Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc. Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Lotus Software Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mandriva, Inc. Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mandriva, Inc. Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mirapoint, Inc. Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Netscape Communications Corporation Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc. Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OctetString, Inc. Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenLDAP Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QUALCOMM Incorporated Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sequent Computer Systems, Inc. Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group (SCO Linux) Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The Teamware Group Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux Unknown

Notified: August 19, 2005 Updated: August 19, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 32 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.padl.com/OSS/pam_ldap.html&gt;
• <http://secunia.com/advisories/16518/&gt;

Acknowledgements

This vulnerability was reported by Luke Howard of PADL.

This document was written by Jeff Gennari.

Other Information

CVE IDs:	CVE-2005-2641
Severity Metric:	8.15 Date Public: