Re: [gentoo-dev] Sec Advisory for the old openldap packages in portage.

[Ben Lutgens <blutgens@sistina.com>]

[-- Attachment #1: Type: text/plain, Size: 25575 bytes --]

Nevermind. I misread that. "prior to" stuff. And I also see that the LDAP
version difference v2 and v3 are reason to have both in there.

Please excuse this useless mail i'm a jackass and haven't had my coffee
yet.



On Tue, Jul 17, 2001 at 10:20:19AM -0500, Ben Lutgens wrote:
>Please see the attached advisory.
>
>Since we have openldap-2.0.11 in portage I recommend that we remove the
>older one based upon answers to the following questions.
>
>1.) does the openldap-2.0.11 packacke compile and work o.k.?
>2.) Is there a valid reason for leaving the older ebuilds in the tree?
>3.) Does anyone care?
>
>I'll wait for this thread to progress before removing / modifying the
>net-nds/openldap/ directory in portage.
>
>
>
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>CERT Advisory CA-2001-18 Multiple Vulnerabilities in Several
>Implementations of the Lightweight Directory Access Protocol (LDAP)
>
>   Original release date: July 16, 2001
>   Last revised: --
>   Source: CERT/CC
>
>   A complete revision history can be found at the end of this file.
>
>Systems Affected
>
>     * iPlanet Directory Server, version 5.0 Beta and versions up to and
>       including 4.13
>     * Certain versions of IBM SecureWay running under Solaris and
>       Windows 2000
>     * Lotus Domino R5 Servers (Enterprise, Application, and Mail),
>prior
>       to 5.0.7a
>     * Teamware Office for Windows NT and Solaris, prior to version
>       5.3ed1
>     * Qualcomm Eudora WorldMail for Windows NT, version 2
>     * Microsoft Exchange 5.5 LDAP Service (Hotfix pending)
>     * Network Associates PGP Keyserver 7.0, prior to Hotfix 2
>     * Oracle 8i Enterprise Edition
>     * OpenLDAP, 1.x prior to 1.2.12 and 2.x prior to 2.0.8
>
>Overview
>
>   Several implementations of the Lightweight Directory Access Protocol
>   (LDAP) protocol contain vulnerabilities that may allow
>   denial-of-service attacks, unauthorized privileged access, or both.
>If
>   your site uses any of the products listed in this advisory, the
>CERT/CC
>   encourages you to follow the advice provided in the Solution section
>   below.
>
>I. Description
>
>   The LDAP protocol provides access to directories that support the
>X.500
>   directory semantics without requiring the additional resources of
>   X.500. A directory is a collection of information such as names,
>   addresses, access control lists, and cryptographic certificates.
>   Because LDAP servers are widely used in maintaining corporate contact
>   information and providing authentication services, any threats to
>their
>   integrity or stability can jeopardize the security of an
>organization.
>
>   To test the security of protocols like LDAP, the PROTOS project
>   presents a server with a wide variety of sample packets containing
>   unexpected values or illegally formatted data. This approach may
>reveal
>   vulnerabilities that would not manifest themselves under normal
>   conditions. As a member of the PROTOS project consortium, the Oulu
>   University Secure Programming Group (OUSPG) co-developed and
>   subsequently used the PROTOS LDAPv3 test suite to study several
>   implementations of the LDAP protocol.
>
>   The PROTOS LDAPv3 test suite is divided into two main sections: the
>   "Encoding" section, which tests an LDAP server's response to packets
>   that violate the Basic Encoding Rules (BER), and the "Application"
>   section, which tests an LDAP server's response to packets that
>trigger
>   LDAP-specific application anomalies. Each section is further divided
>   into "groups" that collectively exercise a particular encoding or
>   application feature. Finally, each group contains one or more "test
>   cases," which represent the network packets that are used to test
>   individual exceptional conditions.
>
>   By applying the PROTOS LDAPv3 test suite to a variety of popular
>   LDAP-enabled products, the OUSPG revealed the following
>   vulnerabilities:
>
>   VU#276944 - iPlanet Directory Server contains multiple
>vulnerabilities
>   in LDAP handling code
>    
>       The iPlanet Directory Server contains multiple vulnerabilities in
>       the code that processes LDAP requests.
>    
>       In the encoding section of the test suite, this product had an
>       indeterminate number of failures in the group that tests invalid
>       BER length of length fields.
>    
>       In the application section of the test suite, this product failed
>       four groups and had inconclusive results for an additional five
>       groups. The four failed groups indicate the presence of buffer
>       overflow vulnerabilities. For the inconclusive groups, the
>product
>       exhibited suspicious behavior while testing for format string
>       vulnerabilities.
>    
>   VU#505564 - IBM SecureWay Directory is vulnerable to
>denial-of-service
>   attacks via LDAP handling code
>    
>       The IBM SecureWay Directory server contains one or more
>       vulnerabilities in the code that processes LDAP requests. These
>       vulnerabilities were discovered independently by IBM using the
>       PROTOS LDAPv3 test suite. The CERT/CC is not currently aware of
>the
>       nature of these vulnerabilities.
>    
>   VU#583184 - Lotus Domino R5 Server Family contains multiple
>   vulnerabilities in LDAP handling code
>    
>       The Lotus Domino R5 Server Family (including the Enterprise,
>       Application, and Mail servers) contains multiple vulnerabilities
>in
>       the code that processes LDAP requests.
>    
>       In the encoding section of the test suite, this product failed 1
>of
>       77 groups. The failed group tests a server's response to
>       miscellaneous packets with semi-valid BER encodings.
>    
>       In the application section of the test suite, this product failed
>       23 of 77 groups. These results suggest that both buffer overflow
>       and format string vulnerabilities are likely to be present in a
>       variety of application components.
>    
>   VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP
>   handling code
>    
>       The Teamware Office suite is packaged with a combination
>X.500/LDAP
>       server that provides directory services. Multiple versions of the
>       Office product contain vulnerabilities that cause the LDAP server
>       to crash in response to traffic sent by the PROTOS LDAPv3 test
>       suite.
>    
>       In the encoding section of the test suite, this product failed 9
>of
>       16 groups involving invalid encodings for several BER object
>types.
>    
>       In the application section of the test suite, this product failed
>4
>       of 32 groups. The remaining 45 groups were not exercised during
>the
>       test runs. The four failed groups indicate the presence of buffer
>       overflow vulnerabilities.
>    
>   VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail
>   Server LDAP handling code
>    
>       While investigating the vulnerabilities reported by OUSPG, it was
>       brought to our attention that the Eudora WorldMail Server may
>       contain vulnerabilities that can be triggered via the PROTOS test
>       suite. The CERT/CC has reported this possibility to Qualcomm and
>an
>       investigation is pending.
>    
>   VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to
>   denial-of-service attacks
>    
>       The Microsoft Exchange 5.5 LDAP Service contains a vulnerability
>       that causes the LDAP server to freeze in response to malformed
>LDAP
>       requests generated by the PROTOS test suite. This only affects
>the
>       LDAP service; all other Exchange services, including mail
>handling,
>       continue normally.
>    
>       Although this product was not included in OUSPG's initial
>testing,
>       subsequent informal testing revealed that the LDAP service of the
>       Microsoft Exchange 5.5 became unresponsive while processing test
>       cases containing exceptional BER encodings for the LDAP filter
>type
>       field.
>    
>   VU#765256 - Network Associates PGP Keyserver contains multiple
>   vulnerabilities in LDAP handling code
>    
>       The Network Associates PGP Keyserver 7.0 contains multiple
>       vulnerabilities in the code that processes LDAP requests.
>    
>       In the encoding section of the test suite, this product failed 12
>       of 16 groups.
>    
>       In the application section of the test suite, this product failed
>1
>       of 77 groups. The failed group focused on out-of-bounds integer
>       values for the messageID parameter. Due to a peculiarity of this
>       test group, this failure may actually represent an encoding
>       failure.
>    
>   VU#869184 - Oracle 8i Enterprise Edition contains multiple
>   vulnerabilities in LDAP handling code
>    
>       The Oracle 8i Enterprise Edition server contains multiple
>       vulnerabilities in the code used to process LDAP requests.
>    
>       In the encoding section of the test suite, this product failed an
>       indeterminate number of test cases in the group that tests a
>       server's response to invalid encodings of BER OBJECT-IDENTIFIER
>       values.
>    
>       In the application section of the test suite, this product failed
>       46 of 77 groups. These results suggest that both buffer overflow
>       and format string vulnerabilities are likely to be present in a
>       variety of application components.
>    
>   VU#935800 - Multiple versions of OpenLDAP are vulnerable to
>   denial-of-service attacks
>
>       There are multiple vulnerabilities in the OpenLDAP
>implementations
>       of the LDAP protocol. These vulnerabilities exist in the code
>that
>       translates network datagrams into application-specific
>information.
>    
>       In the encoding section of the test suite, this product failed
>the
>       group that tests the handling of invalid BER length of length
>       fields.
>    
>       In the application section of the test suite, this product passed
>       all 6685 test cases.
>    
>Additional Information
>
>   For the most up-to-date information regarding these vulnerabilities,
>   please visit the CERT/CC Vulnerability Notes Database at:
>
>          http://www.kb.cert.org/vuls/
>
>   Please note that the test results summarized above should not be
>   interpreted as a statement of overall software quality. However, the
>   CERT/CC does believe that these results are useful in describing the
>   characteristics of these vulnerabilities. For example, an application
>   that fails multiple groups indicates that problems exist in different
>   areas of the code, rather than in a specific code segment.
>
>II. Impact
>
>   VU#276944 - iPlanet Directory Server contains multiple
>vulnerabilities
>   in LDAP handling code
>
>       One or more of these vulnerabilities allow a remote attacker to
>       execute arbitrary code with the privileges of the Directory
>Server.
>       The server typically runs with system privileges. At least one of
>       these vulnerabilities has been successfully exploited in a
>       laboratory environment under Windows NT 4.0, but they may affect
>       other platforms as well.
>
>   VU#505564 - IBM SecureWay Directory is vulnerable to
>denial-of-service
>   attacks via LDAP handling code
>
>       These vulnerabilities allow a remote attacker to crash affected
>       SecureWay Directory servers, resulting in a denial-of-service
>       condition. It is not known at this time whether these
>       vulnerabilities will allow a remote attacker to execute arbitrary
>       code. These vulnerabilities exist on the Solaris and Windows 2000
>       platforms but are not present under Windows NT, AIX, and AIX with
>       SSL.
>
>   VU#583184 - Lotus Domino R5 Server Family contains multiple
>   vulnerabilities in LDAP handling code
>
>       One or more of these vulnerabilities allow a remote attacker to
>       execute arbitrary code with the privileges of the Domino
>       server. The server typically runs with system privileges. At
>least
>       one of these vulnerabilities has been successfully exploited in a
>       laboratory environment.
>
>   VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP
>   handling code
>
>       These vulnerabilities allow a remote attacker to crash affected
>       Teamware LDAP servers, resulting in a denial-of-service
>condition.
>       They may also allow a remote attacker to execute arbitrary code
>       with the privileges of the Teamware server. The server typically
>       runs with system privileges.
>
>   VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail
>   Server LDAP handling code
>
>       The CERT/CC has not yet determined the impact of this
>vulnerability. 
>
>   VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to
>   denial-of-service attacks
>
>       This vulnerability allows a remote attacker to crash the LDAP
>       component of vulnerable Exchange 5.5 servers, resulting in a
>       denial-of-service condition within the LDAP component.
>
>   VU#765256 - Network Associates PGP Keyserver contains multiple
>   vulnerabilities in LDAP handling code
>
>       One or more of these vulnerabilities allow a remote attacker to
>       execute arbitrary code with the privileges of the Keyserver. The
>       server typically runs with system privileges. At least one of
>these
>       vulnerabilities has been successfully exploited in a laboratory
>       environment.
>
>   VU#869184 - Oracle 8i Enterprise Edition contains multiple
>   vulnerabilities in LDAP handling code
>
>       One or more of these vulnerabilities allow a remote attacker to
>       execute arbitrary code with the privileges of the Oracle
>       server. The server typically runs with system privileges. At
>least
>       one of these vulnerabilities has been successfully exploited in a
>       laboratory environment.
>
>   VU#935800 - Multiple versions of OpenLDAP are vulnerable to
>   denial-of-service attacks
>
>       These vulnerabilities allow a remote attacker to crash affected
>       OpenLDAP servers, resulting in a denial-of-service condition.
>
>III. Solution
>
>Apply a patch from your vendor
>
>   Appendix A contains information provided by vendors for this
>advisory.
>   Please consult this appendix to determine if you need to contact your
>   vendor directly.
>
>Block access to directory services at network perimeter
>
>   As a temporary measure, it is possible to limit the scope of these
>   vulnerabilities by blocking access to directory services at the
>   network perimeter. Please note that this workaround does not protect
>   vulnerable products from internal attacks.
>
>       ldap    389/tcp     # Lightweight Directory Access Protocol
>       ldap    389/udp     # Lightweight Directory Access Protocol
>       ldaps   636/tcp     # ldap protocol over TLS/SSL (was sldap)
>       ldaps   636/udp     # ldap protocol over TLS/SSL (was sldap)
>
>Appendix A. - Vendor Information
>
>   This appendix contains information provided by vendors for this
>   advisory. As vendors report new information to the CERT/CC, we will
>   update this section and note the changes in our revision history. If
>a
>   particular vendor is not listed below, we have not received their
>   comments.
>
>IBM Corporation
>
>   IBM and Tivoli are currently investigating the details of the
>   vulnerabilities in the various versions of the SecureWay product
>   family.
>
>   Fixes are being implemented as these details become known.
>
>   Fixes will be posted to the download sites (IBM or Tivoli) for the
>   affected platform. See http://www-1.ibm.com/support under "Server
>   Downloads" or "Software Downloads" for links to the fix distribution
>   sites.
>
>iPlanet E-Commerce Solutions
>
>   [CERT/CC Addendum: These vulnerabilities were originally discovered
>in
>   Directory Server 5.0 Beta and were later found to exist in versions
>up
>   to and including version 4.13. These vulnerabilities have been
>   addressed in the released version of Directory Server 5.0.]
>
>Lotus Development Corporation
>
>   Lotus reproduced the problem as reported by OUSPG and documented it
>in
>   SPR#DWUU4W6NC8.
>
>   Lotus considers security issues as top priority, so we acted quickly
>   to resolve the problem in a maintenance update to Domino. It was
>   addressed in Domino R5.0.7a, which was released on May 18th, 2001.
>   This release can be downloaded from Notes.net at
>
>          http://www.notes.net/qmrdown.nsf/qmrwelcome.
>
>   The fix is documented in the fix list at
>
> 
>http://www.notes.net/r5fixlist.nsf/Search!SearchView&Query=DWUU
>          4W6NC8
>
>Microsoft Corporation
>
>   Microsoft is developing a hotfix for this issue which will be
>   available shortly.
>
>   Customers can obtain this hotfix by contacting Product Support
>   Services at no charge and asking for Q303448 and Q303450. Information
>   on contacting Microsoft Product Support Services can be found at
>
>          http://www.microsoft.com/support/
>
>Network Associates, Inc.
>
>   Network Associates has resolved these vulnerabilities in Hotfix 2 for
>   both Solaris and Windows NT. All Network Associates Enterprise
>Support
>   customers have been notified and have been provided access to the
>   Hotfix.
>
>   This Hotfix can be downloaded at
>
>          http://www.pgp.com/downloads/default.asp
>
>The OpenLDAP Project
>
>   [CERT/CC Addendum: To address these vulnerabilities, the OpenLDAP
>   Project has released OpenLDAP 1.2.12 for use in LDAPv2 environments
>   and OpenLDAP 2.0.8 for use in LDAPv3 environments. The CERT/CC
>   recommends that users of OpenLDAP contact their software vendor or
>   obtain the latest version, available at
>   http://www.openLDAP.org/software/download/.]
>
>QUALCOMM Incorporated
>
>   The LDAP service in WorldMail may be vulnerable to this exploit, but
>   our tests so far have been inconclusive. At this time, we strongly
>   urge all WorldMail customers to ensure that the LDAP service is not
>   accessible from outside their organization nor by untrusted users.
>
>The Teamware Group
>
>   An issue has been discovered with Teamware Office Enterprise
>Directory
>   (LDAP server) that shows a abnormal termination or loop when the LDAP
>   server encounters a maliciously or incorrectly created LDAP request
>   data.
>
>   If the maliciously formatted LDAP request data is requested, the LDAP
>   server may excessively copy the LDAP request data to the stack area.
>
>   This overflow is likely to cause execution of malicious code. In
>other
>   case, the LDAP server may go into abnormal termination or infinite
>   loop.
>
>   [CERT/CC Addendum: Teamware has provided additional documentation of
>   these issues in their "Teamware Solution Database," available at
>   http://support.teamw.com/Online/s_database1.shtml. Registered users
>   can find information on these vulnerabilities by searching for
>   document #010703-0000 for Windows NT or document #010703-0001 for
>   Solaris.]
>
>Appendix B. - Supplemental Information
>
>The PROTOS Project
>
>   The PROTOS project is a research partnership between the University
>of
>   Oulu and VTT Electronics, an independent research organization owned
>   by the Finnish government. The project studies methods by which
>   protocol implementations can be tested for information security
>   defects.
>
>   Although the vulnerabilities discussed in this advisory relate
>   specifically to the LDAP protocol, the methodology used to research,
>   develop, and deploy the PROTOS LDAPv3 test suite can be applied to
>any
>   communications protocol.
>
>   For more information on the PROTOS project and its collection of test
>   suites, please visit
>
>          http://www.ee.oulu.fi/research/ouspg/protos/
>
>ASN.1 and the BER
>
>   Abstract Syntax Notation One (ASN.1) is a flexible notation that
>   allows one to define a variety data types. The Basic Encoding Rules
>   (BER) describe how to represent or encode the values of each ASN.1
>   type as a string of octets. This allow programmers to encode and
>   decode data for platform-independent transmission over a network.
>
>References
>
>   The following is a list of URLs referenced in this advisory as well
>as
>   other useful sources of information:
>
>          http://www.cert.org/advisories/CA-2001-18.html
>          http://www.ietf.org/rfc/rfc2116.txt
>          http://www.ietf.org/rfc/rfc2251.txt
>          http://www.ietf.org/rfc/rfc2252.txt
>          http://www.ietf.org/rfc/rfc2253.txt
>          http://www.ietf.org/rfc/rfc2254.txt
>          http://www.ietf.org/rfc/rfc2255.txt
>          http://www.ietf.org/rfc/rfc2256.txt
>          http://www.ee.oulu.fi/research/ouspg/protos/
> 
>http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/
>          http://www.kb.cert.org/vuls/
>          http://www.kb.cert.org/vuls/id/276944
>          http://www.kb.cert.org/vuls/id/505564
>          http://www.kb.cert.org/vuls/id/583184
>          http://www.kb.cert.org/vuls/id/688960
>          http://www.kb.cert.org/vuls/id/717380
>          http://www.kb.cert.org/vuls/id/763400
>          http://www.kb.cert.org/vuls/id/765256
>          http://www.kb.cert.org/vuls/id/869184
>          http://www.kb.cert.org/vuls/id/935800
>     _________________________________________________________________
>
>   The CERT Coordination Center thanks the Oulu University Secure
>   Programming Group for reporting these vulnerabilities to us, for
>their
>   detailed technical analyses, and for their assistance in preparing
>   this advisory. We also thank the many vendors who provided feedback
>   regarding their respective vulnerabilities.
>     _________________________________________________________________
>
>   Authors: Jeffrey P. Lanza and Cory F. Cohen. Feedback on this
>advisory
>   is greatly appreciated.
> 
>______________________________________________________________________
>
>   This document is available from:
>   http://www.cert.org/advisories/CA-2001-18.html
> 
>______________________________________________________________________
>
>CERT/CC Contact Information
>
>   Email: cert@cert.org
>          Phone: +1 412-268-7090 (24-hour hotline)
>          Fax: +1 412-268-6989
>          Postal address:
>          CERT Coordination Center
>          Software Engineering Institute
>          Carnegie Mellon University
>          Pittsburgh PA 15213-3890
>          U.S.A.
>
>   CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
>   Monday through Friday; they are on call for emergencies during other
>   hours, on U.S. holidays, and on weekends.
>
>Using encryption
>
>   We strongly urge you to encrypt sensitive information sent by email.
>   Our public PGP key is available from
>
>   http://www.cert.org/CERT_PGP.key
>
>   If you prefer to use DES, please call the CERT hotline for more
>   information.
>
>Getting security information
>
>   CERT publications and other security information are available from
>   our web site
>
>   http://www.cert.org/
>
>   To subscribe to the CERT mailing list for advisories and bulletins,
>   send email to majordomo@cert.org. Please include in the body of your
>   message
>
>   subscribe cert-advisory
>
>   * "CERT" and "CERT Coordination Center" are registered in the U.S.
>   Patent and Trademark Office.
> 
>______________________________________________________________________
>
>   NO WARRANTY
>   Any material furnished by Carnegie Mellon University and the Software
>   Engineering Institute is furnished on an "as is" basis. Carnegie
>   Mellon University makes no warranties of any kind, either expressed
>or
>   implied as to any matter including, but not limited to, warranty of
>   fitness for a particular purpose or merchantability, exclusivity or
>   results obtained from use of the material. Carnegie Mellon University
>   does not make any warranty of any kind with respect to freedom from
>   patent, trademark, or copyright infringement.
>     _________________________________________________________________
>
>   Conditions for use, disclaimers, and sponsorship information
>
>   Copyright 2001 Carnegie Mellon University.
>
>   Revision History
>Jul 16, 2001: Initial release
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 5.0i for non-commercial use
>Charset: noconv
>
>iQCVAwUBO1O5eQYcfu8gsZJZAQGupwQAikpVVn5wK0o9Kzdl3wjFf2jEhbyr3Ngz
>ycfKTYp8GfaKvKf9HzM/861WBmAkRIkChM+t9mQZ2FuH6nNMzfYRputHb3MK5w18
>8EOE/stQbV0kDgXxi078ELkvZy4tqrNhd7KXNtsFCPvwo7XTrJJFLTpCS5Nltheq
>PaynurnhNrw=
>=mEjW
>-----END PGP SIGNATURE-----
>
>----- End forwarded message -----
>
>-- 
>Ben Lutgens		
>Sistina Software Inc.	
>Kernel panic: I have no root and I want to scream



-- 
Ben Lutgens		
Sistina Software Inc.	
Kernel panic: I have no root and I want to scream

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]