Bug 680466 (CVE-2011-1024) - CVE-2011-1024 openldap: forwarded bind failure messages cause success
Summary: CVE-2011-1024 openldap: forwarded bind failure messages cause success
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-1024
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 680481 680482 680483 680484 680486
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-25 16:45 UTC by Vincent Danen
Modified: 2019-09-29 12:43 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-29 14:01:35 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0346 0 normal SHIPPED_LIVE Moderate: openldap security and bug fix update 2011-03-10 20:31:50 UTC
Red Hat Product Errata RHSA-2011:0347 0 normal SHIPPED_LIVE Moderate: openldap security update 2011-03-10 20:47:17 UTC

Description Vincent Danen 2011-02-25 16:45:55 UTC
It was reported [1],[2],[3] that in certain configurations, OpenLDAP would authenticate with an invalid password.  If an OpenLDAP slave received an authenticated bind request with an invalid password that was forwarded to the master LDAP server, the LDAP slave would return a successful bind (as an anonymous user) rather than return a failure (as the user to authenticate).  This is due to a chain overlay being set on the frontend, with a ppolicy configured with ppolicy_forward_updates.  While this is not a security issue regarding LDAP contents, due to the authentication as an unprivileged anonymous user, when LDAP returns a successful bind to other external programs (such as programs performing authentication, such as pam_ldap or SSSD) it could allow a user to login with an invalid password (in that case, if LDAP is used for user authentication, it could lead to a successful login with an invalid password).

This was already corrected upstream [4] for unrelated reasons.

References:

[1] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6607
[2] http://www.openldap.org/lists/openldap-technical/201004/msg00247.html
[3] http://secunia.com/advisories/43331/
[4] http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ldap/chain.c.diff?r1=1.76&r2=1.77&hideattic=1&sortbydate=0

Comment 1 Vincent Danen 2011-02-25 16:48:14 UTC
The upstream patch [4] applies to OpenLDAP as provided with RHEL5 and 6; it does not apply to RHEL4 and the code is quite different so I don't believe OpenLDAP 2.2.x is affected, but need a second set of eyes to verify.

Comment 4 Vincent Danen 2011-02-25 17:34:57 UTC
Created openldap tracking bugs for this issue

Affects: fedora-all [bug 680483]

Comment 6 Vincent Danen 2011-02-28 18:21:17 UTC
This issue does not affect OpenLDAP 2.2.x (as found in Red Hat Enterprise Linux 4) because it does not contain ppolicy overlay support.

Comment 7 Jan Vcelak 2011-03-01 12:33:47 UTC
Already fixed in upstream 2.4.24, for Fedora this means:

F16  not affected
F14  affected, but 2.4.24 is waiting in updates testing
F14  affected
F13  affected

Comment 8 Jan Vcelak 2011-03-01 12:42:03 UTC
F13 resolved in: openldap-2.4.21-12.fc13
F14 resolved in: openldap-2.4.23-9.fc14

Comment 10 errata-xmlrpc 2011-03-10 20:31:56 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0346 https://rhn.redhat.com/errata/RHSA-2011-0346.html

Comment 11 errata-xmlrpc 2011-03-10 20:47:23 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0347 https://rhn.redhat.com/errata/RHSA-2011-0347.html


Note You need to log in before you can comment on or make changes to this bug.