Apache CloudStack 4.3 / 4.4 Unauthenticated LDAP Binds Vulnerability

🗓️ 10 Dec 2014 00:00:00Reported by CitrixType

zdt🔗 0day.today👁 29 Views

Apache CloudStack LDAP Binds Vulnerability 4.3 / 4.

Reporter	Title	Published	Views	Family All 7
CVE	CVE-2014-7807	10 Dec 201415:00	–	cve
Cvelist	CVE-2014-7807	10 Dec 201415:00	–	cvelist
EUVD	EUVD-2014-7678	7 Oct 202500:30	–	euvd
NVD	CVE-2014-7807	10 Dec 201415:59	–	nvd
Prion	Authentication flaw	10 Dec 201415:59	–	prion
securityvulns	[CVE-2014-7807] Apache CloudStack unauthenticated LDAP binds	29 Dec 201400:00	–	securityvulns
securityvulns	Apache CloudStac authentication bypass	29 Dec 201400:00	–	securityvulns

CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds

CVSS:
7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors:
The Apache Software Foundation
Citrix, Inc.

Versions Afffected:
Apache CloudStack 4.3, 4.4

Description:
Apache CloudStack may be configured to authenticate LDAP users.
When so configured, it performs a simple LDAP bind with the name
and password provided by a user.  Simple LDAP binds are defined
with three mechanisms (RFC 4513): 1) username and password; 2)
unauthenticated if only a username is specified; and 3) anonymous
if neither username or password is specified.  Currently, Apache
CloudStack does not check if the password was provided which could
allow an attacker to bind as an unauthenticated user.

Mitigation:
Users of Apache CloudStack 4.4 and derivatives should update to the
latest version (4.4.2)

An updated release for Apache CloudStack 4.3.2 is in testing. Until
that is released, we recommend following the mitigation below:

By default, many LDAP servers are not configured to allow unauthenticated
binds.  If the LDAP server in use allow this behaviour, a potential
interim solution would be to consider disabling unauthenticated
binds.

#  0day.today [2018-04-09]  #

10 Dec 2014 00:00Current

6.6Medium risk

Vulners AI Score6.6

EPSS0.00419