Lucene search

K
zdtGeorgi Geshev1337DAY-ID-24155
HistoryAug 28, 2015 - 12:00 a.m.

Apache ActiveMQ 5.0.0 - 5.10.0 JAAS LDAPLoginModule empty password authentication Vulnerability

2015-08-2800:00:00
Georgi Geshev
0day.today
45

EPSS

0.003

Percentile

70.9%

Exploit for multiple platform in category web applications

CVE-2014-3612: ActiveMQ JAAS: LDAPLoginModule allows empty password authentication and Wildcard Interpretation

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache ActiveMQ 5.0.0 - 5.10.0

Description:
It was found that if a configured LDAP server supported the unauthenticated authentication
mechanism (as described by RFC 4513), the LDAPLoginModule implementation, provided by ActiveMQ
Java Authentication and Authorization Service (JAAS), would consider an authentication attempt to
be successful for a valid user that provided an empty password. A remote attacker could use this flaw
to bypass the authentication mechanism of an application using LDAPLoginModule, and assume a role
of any valid user within that application. Additionally, when LDAP authentication is enabled, it is
possible for an attacker to supply a wildcard operator instead of a username, which will effectively
allow him to brute force a password for an unknown but valid account as opposed to brute forcing a
combination of username and password. Once a valid password is found, the attacker can successfully
authenticate with LDAP and publish/subscribe to a queue.


Mitigation:
Upgrade to Apache ActiveMQ 5.10.1 or 5.11.0

Credit:
This issue was discovered by ๏ปฟGeorgi Geshev from MWR Labs and Arun Babu Neelicattu from RedHat.

#  0day.today [2018-01-05]  #