Bug 680466 - (CVE-2011-1024) CVE-2011-1024 openldap: forwarded bind failure messages cause success
CVE-2011-1024 openldap: forwarded bind failure messages cause success
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 680481 680482 680483 680484 680486
  Show dependency treegraph
Reported: 2011-02-25 11:45 EST by Vincent Danen
Modified: 2015-07-29 10:01 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-07-29 10:01:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-02-25 11:45:55 EST
It was reported [1],[2],[3] that in certain configurations, OpenLDAP would authenticate with an invalid password.  If an OpenLDAP slave received an authenticated bind request with an invalid password that was forwarded to the master LDAP server, the LDAP slave would return a successful bind (as an anonymous user) rather than return a failure (as the user to authenticate).  This is due to a chain overlay being set on the frontend, with a ppolicy configured with ppolicy_forward_updates.  While this is not a security issue regarding LDAP contents, due to the authentication as an unprivileged anonymous user, when LDAP returns a successful bind to other external programs (such as programs performing authentication, such as pam_ldap or SSSD) it could allow a user to login with an invalid password (in that case, if LDAP is used for user authentication, it could lead to a successful login with an invalid password).

This was already corrected upstream [4] for unrelated reasons.


[1] http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6607
[2] http://www.openldap.org/lists/openldap-technical/201004/msg00247.html
[3] http://secunia.com/advisories/43331/
[4] http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ldap/chain.c.diff?r1=1.76&r2=1.77&hideattic=1&sortbydate=0
Comment 1 Vincent Danen 2011-02-25 11:48:14 EST
The upstream patch [4] applies to OpenLDAP as provided with RHEL5 and 6; it does not apply to RHEL4 and the code is quite different so I don't believe OpenLDAP 2.2.x is affected, but need a second set of eyes to verify.
Comment 4 Vincent Danen 2011-02-25 12:34:57 EST
Created openldap tracking bugs for this issue

Affects: fedora-all [bug 680483]
Comment 6 Vincent Danen 2011-02-28 13:21:17 EST
This issue does not affect OpenLDAP 2.2.x (as found in Red Hat Enterprise Linux 4) because it does not contain ppolicy overlay support.
Comment 7 Jan Vcelak 2011-03-01 07:33:47 EST
Already fixed in upstream 2.4.24, for Fedora this means:

F16  not affected
F14  affected, but 2.4.24 is waiting in updates testing
F14  affected
F13  affected
Comment 8 Jan Vcelak 2011-03-01 07:42:03 EST
F13 resolved in: openldap-2.4.21-12.fc13
F14 resolved in: openldap-2.4.23-9.fc14
Comment 10 errata-xmlrpc 2011-03-10 15:31:56 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0346 https://rhn.redhat.com/errata/RHSA-2011-0346.html
Comment 11 errata-xmlrpc 2011-03-10 15:47:23 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0347 https://rhn.redhat.com/errata/RHSA-2011-0347.html

Note You need to log in before you can comment on or make changes to this bug.