Bug 680466 (CVE-2011-1024)

Summary: CVE-2011-1024 openldap: forwarded bind failure messages cause success
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jplans, omoris, rmeggins, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-29 14:01:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 680481, 680482, 680483, 680484, 680486    
Bug Blocks:    

Description Vincent Danen 2011-02-25 16:45:55 UTC 
It was reported [1],[2],[3] that in certain configurations, OpenLDAP would authenticate with an invalid password.  If an OpenLDAP slave received an authenticated bind request with an invalid password that was forwarded to the master LDAP server, the LDAP slave would return a successful bind (as an anonymous user) rather than return a failure (as the user to authenticate).  This is due to a chain overlay being set on the frontend, with a ppolicy configured with ppolicy_forward_updates.  While this is not a security issue regarding LDAP contents, due to the authentication as an unprivileged anonymous user, when LDAP returns a successful bind to other external programs (such as programs performing authentication, such as pam_ldap or SSSD) it could allow a user to login with an invalid password (in that case, if LDAP is used for user authentication, it could lead to a successful login with an invalid password).

This was already corrected upstream [4] for unrelated reasons.

References:

[1] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6607
[2] http://www.openldap.org/lists/openldap-technical/201004/msg00247.html
[3] http://secunia.com/advisories/43331/
[4] http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ldap/chain.c.diff?r1=1.76&r2=1.77&hideattic=1&sortbydate=0
Comment 1 Vincent Danen 2011-02-25 16:48:14 UTC 
The upstream patch [4] applies to OpenLDAP as provided with RHEL5 and 6; it does not apply to RHEL4 and the code is quite different so I don't believe OpenLDAP 2.2.x is affected, but need a second set of eyes to verify.
Comment 4 Vincent Danen 2011-02-25 17:34:57 UTC 
Created openldap tracking bugs for this issue

Affects: fedora-all [bug 680483]
Comment 6 Vincent Danen 2011-02-28 18:21:17 UTC 
This issue does not affect OpenLDAP 2.2.x (as found in Red Hat Enterprise Linux 4) because it does not contain ppolicy overlay support.
Comment 7 Jan Vcelak 2011-03-01 12:33:47 UTC 
Already fixed in upstream 2.4.24, for Fedora this means:

F16  not affected
F14  affected, but 2.4.24 is waiting in updates testing
F14  affected
F13  affected
Comment 8 Jan Vcelak 2011-03-01 12:42:03 UTC 
F13 resolved in: openldap-2.4.21-12.fc13
F14 resolved in: openldap-2.4.23-9.fc14
Comment 10 errata-xmlrpc 2011-03-10 20:31:56 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0346 https://rhn.redhat.com/errata/RHSA-2011-0346.html
Comment 11 errata-xmlrpc 2011-03-10 20:47:23 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0347 https://rhn.redhat.com/errata/RHSA-2011-0347.html