Overview
An error in the pam_ldap password policy control may allow a remote attacker to gain access to a system.
Description
pam_ldap provides LDAP authentication services for UNIX-based systems. A vulnerability in pam_ldap may allow a remote attacker to bypass the authentication mechanism. If a pam_ldap client attempts to authenticate against an LDAP server that omits the optional error value from the PasswordPolicyResponseValue, the authentication attempt will always succeed. Note that this vulnerability affects all versions of pam_ldap since version pam_ldap-169. However, if the underlying LDAP client library does not support LDAP version 3 controls, then this vulnerability is not present. |
Impact
An unauthenticated, remote attacker may be able to bypass the pam_ldap authentication mechanism and gain access to a system, possibly with elevated privileges. |
Solution
Upgrade pam_ldap This vulnerability was corrected in pam_ldap-180. |
Vendor Information
Debian Linux Affected
Notified: August 19, 2005 Updated: August 25, 2005
Status
Affected
Vendor Statement
Debian GNU/Linux is vulnerable to this problem. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 178-1sarge1. For the unstable distribution (sid) this problem has been fixed in version 178-1sarge1. This is DSA 785-1.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
PADL Affected
Notified: August 16, 2005 Updated: August 25, 2005
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
From padl-180 changelog:
"when handling new password policy control, only fall through to account management module if a policy error was returned (CERT VU#778916)."
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat, Inc. Affected
Notified: August 19, 2005 Updated: November 02, 2005
Status
Affected
Vendor Statement
This issue did not affect Red Hat Enterprise Linux 2.1, or 3.
Updated nss_ldap packages for Red Hat Enterprise Linux 4 to correct this
issue are available at the URL below and by using the Red Hat Network
'up2date' tool.
http://rhn.redhat.com/errata/CVE-2005-2641.html
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Apple Computer, Inc. Not Affected
Notified: August 19, 2005 Updated: October 10, 2005
Status
Not Affected
Vendor Statement
Mac OS X does not ship with pam_ldap.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Hewlett-Packard Company Not Affected
Notified: August 19, 2005 Updated: August 31, 2005
Status
Not Affected
Vendor Statement
HP-UX, HP Tru64 and HP OpenVMS are not vulnerable to this report.
To report potential security vulnerabilities in HP software, send an E-mail message to: security-alert@hp.com
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Hitachi Not Affected
Updated: September 15, 2005
Status
Not Affected
Vendor Statement
Hitachi Directory Server is NOT Vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Microsoft Corporation Not Affected
Notified: August 19, 2005 Updated: September 28, 2005
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Openwall GNU/*/Linux Not Affected
Notified: August 19, 2005 Updated: September 06, 2005
Status
Not Affected
Vendor Statement
Openwall GNU/*/Linux is not vulnerable. We do not package pam_ldap.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Oracle Corporation Not Affected
Notified: August 19, 2005 Updated: September 06, 2005
Status
Not Affected
Vendor Statement
Oracle does not ship pam_ldap with our OID product.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
SUSE Linux Not Affected
Notified: August 19, 2005 Updated: August 22, 2005
Status
Not Affected
Vendor Statement
SUSE products are not vulnerable to the pam_ldap vulnerability described in VU#778916.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sun Microsystems, Inc. Not Affected
Notified: August 19, 2005 Updated: September 02, 2005
Status
Not Affected
Vendor Statement
Sun can confirm that Solaris is not affected by this issue. Solaris does not ship the PADL pam_ldap module or use any of the PADL code in the Solaris shipped pam_ldap(5) PAM module. Sun's Linux OS, which is part of the Java Desktop System (JDS) for Linux does not ship pam_ldap.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Computer Associates Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Engarde Secure Linux Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM Corporation Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM Corporation (zseries) Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
IBM eServer Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Immunix Communications, Inc. Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Ingrian Networks, Inc. Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Lotus Software Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Mandriva, Inc. Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Mandriva, Inc. Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Mirapoint, Inc. Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
MontaVista Software, Inc. Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Netscape Communications Corporation Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Novell, Inc. Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
OctetString, Inc. Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
OpenLDAP Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
QUALCOMM Incorporated Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Sequent Computer Systems, Inc. Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
The SCO Group (SCO Linux) Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
The Teamware Group Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Turbolinux Unknown
Notified: August 19, 2005 Updated: August 19, 2005
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was reported by Luke Howard of PADL.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2005-2641 |
| Severity Metric: | 8.15 |
| Date Public: | 2005-08-24 |
| Date First Published: | 2005-08-24 |
| Date Last Updated: | 2005-11-02 17:47 UTC |
| Document Revision: | 66 |