Nevermind. I misread that. "prior to" stuff. And I also see that the LDAP version difference v2 and v3 are reason to have both in there. Please excuse this useless mail i'm a jackass and haven't had my coffee yet. On Tue, Jul 17, 2001 at 10:20:19AM -0500, Ben Lutgens wrote: >Please see the attached advisory. > >Since we have openldap-2.0.11 in portage I recommend that we remove the >older one based upon answers to the following questions. > >1.) does the openldap-2.0.11 packacke compile and work o.k.? >2.) Is there a valid reason for leaving the older ebuilds in the tree? >3.) Does anyone care? > >I'll wait for this thread to progress before removing / modifying the >net-nds/openldap/ directory in portage. > > > > > >-----BEGIN PGP SIGNED MESSAGE----- > >CERT Advisory CA-2001-18 Multiple Vulnerabilities in Several >Implementations of the Lightweight Directory Access Protocol (LDAP) > > Original release date: July 16, 2001 > Last revised: -- > Source: CERT/CC > > A complete revision history can be found at the end of this file. > >Systems Affected > > * iPlanet Directory Server, version 5.0 Beta and versions up to and > including 4.13 > * Certain versions of IBM SecureWay running under Solaris and > Windows 2000 > * Lotus Domino R5 Servers (Enterprise, Application, and Mail), >prior > to 5.0.7a > * Teamware Office for Windows NT and Solaris, prior to version > 5.3ed1 > * Qualcomm Eudora WorldMail for Windows NT, version 2 > * Microsoft Exchange 5.5 LDAP Service (Hotfix pending) > * Network Associates PGP Keyserver 7.0, prior to Hotfix 2 > * Oracle 8i Enterprise Edition > * OpenLDAP, 1.x prior to 1.2.12 and 2.x prior to 2.0.8 > >Overview > > Several implementations of the Lightweight Directory Access Protocol > (LDAP) protocol contain vulnerabilities that may allow > denial-of-service attacks, unauthorized privileged access, or both. >If > your site uses any of the products listed in this advisory, the >CERT/CC > encourages you to follow the advice provided in the Solution section > below. > >I. Description > > The LDAP protocol provides access to directories that support the >X.500 > directory semantics without requiring the additional resources of > X.500. A directory is a collection of information such as names, > addresses, access control lists, and cryptographic certificates. > Because LDAP servers are widely used in maintaining corporate contact > information and providing authentication services, any threats to >their > integrity or stability can jeopardize the security of an >organization. > > To test the security of protocols like LDAP, the PROTOS project > presents a server with a wide variety of sample packets containing > unexpected values or illegally formatted data. This approach may >reveal > vulnerabilities that would not manifest themselves under normal > conditions. As a member of the PROTOS project consortium, the Oulu > University Secure Programming Group (OUSPG) co-developed and > subsequently used the PROTOS LDAPv3 test suite to study several > implementations of the LDAP protocol. > > The PROTOS LDAPv3 test suite is divided into two main sections: the > "Encoding" section, which tests an LDAP server's response to packets > that violate the Basic Encoding Rules (BER), and the "Application" > section, which tests an LDAP server's response to packets that >trigger > LDAP-specific application anomalies. Each section is further divided > into "groups" that collectively exercise a particular encoding or > application feature. Finally, each group contains one or more "test > cases," which represent the network packets that are used to test > individual exceptional conditions. > > By applying the PROTOS LDAPv3 test suite to a variety of popular > LDAP-enabled products, the OUSPG revealed the following > vulnerabilities: > > VU#276944 - iPlanet Directory Server contains multiple >vulnerabilities > in LDAP handling code > > The iPlanet Directory Server contains multiple vulnerabilities in > the code that processes LDAP requests. > > In the encoding section of the test suite, this product had an > indeterminate number of failures in the group that tests invalid > BER length of length fields. > > In the application section of the test suite, this product failed > four groups and had inconclusive results for an additional five > groups. The four failed groups indicate the presence of buffer > overflow vulnerabilities. For the inconclusive groups, the >product > exhibited suspicious behavior while testing for format string > vulnerabilities. > > VU#505564 - IBM SecureWay Directory is vulnerable to >denial-of-service > attacks via LDAP handling code > > The IBM SecureWay Directory server contains one or more > vulnerabilities in the code that processes LDAP requests. These > vulnerabilities were discovered independently by IBM using the > PROTOS LDAPv3 test suite. The CERT/CC is not currently aware of >the > nature of these vulnerabilities. > > VU#583184 - Lotus Domino R5 Server Family contains multiple > vulnerabilities in LDAP handling code > > The Lotus Domino R5 Server Family (including the Enterprise, > Application, and Mail servers) contains multiple vulnerabilities >in > the code that processes LDAP requests. > > In the encoding section of the test suite, this product failed 1 >of > 77 groups. The failed group tests a server's response to > miscellaneous packets with semi-valid BER encodings. > > In the application section of the test suite, this product failed > 23 of 77 groups. These results suggest that both buffer overflow > and format string vulnerabilities are likely to be present in a > variety of application components. > > VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP > handling code > > The Teamware Office suite is packaged with a combination >X.500/LDAP > server that provides directory services. Multiple versions of the > Office product contain vulnerabilities that cause the LDAP server > to crash in response to traffic sent by the PROTOS LDAPv3 test > suite. > > In the encoding section of the test suite, this product failed 9 >of > 16 groups involving invalid encodings for several BER object >types. > > In the application section of the test suite, this product failed >4 > of 32 groups. The remaining 45 groups were not exercised during >the > test runs. The four failed groups indicate the presence of buffer > overflow vulnerabilities. > > VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail > Server LDAP handling code > > While investigating the vulnerabilities reported by OUSPG, it was > brought to our attention that the Eudora WorldMail Server may > contain vulnerabilities that can be triggered via the PROTOS test > suite. The CERT/CC has reported this possibility to Qualcomm and >an > investigation is pending. > > VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to > denial-of-service attacks > > The Microsoft Exchange 5.5 LDAP Service contains a vulnerability > that causes the LDAP server to freeze in response to malformed >LDAP > requests generated by the PROTOS test suite. This only affects >the > LDAP service; all other Exchange services, including mail >handling, > continue normally. > > Although this product was not included in OUSPG's initial >testing, > subsequent informal testing revealed that the LDAP service of the > Microsoft Exchange 5.5 became unresponsive while processing test > cases containing exceptional BER encodings for the LDAP filter >type > field. > > VU#765256 - Network Associates PGP Keyserver contains multiple > vulnerabilities in LDAP handling code > > The Network Associates PGP Keyserver 7.0 contains multiple > vulnerabilities in the code that processes LDAP requests. > > In the encoding section of the test suite, this product failed 12 > of 16 groups. > > In the application section of the test suite, this product failed >1 > of 77 groups. The failed group focused on out-of-bounds integer > values for the messageID parameter. Due to a peculiarity of this > test group, this failure may actually represent an encoding > failure. > > VU#869184 - Oracle 8i Enterprise Edition contains multiple > vulnerabilities in LDAP handling code > > The Oracle 8i Enterprise Edition server contains multiple > vulnerabilities in the code used to process LDAP requests. > > In the encoding section of the test suite, this product failed an > indeterminate number of test cases in the group that tests a > server's response to invalid encodings of BER OBJECT-IDENTIFIER > values. > > In the application section of the test suite, this product failed > 46 of 77 groups. These results suggest that both buffer overflow > and format string vulnerabilities are likely to be present in a > variety of application components. > > VU#935800 - Multiple versions of OpenLDAP are vulnerable to > denial-of-service attacks > > There are multiple vulnerabilities in the OpenLDAP >implementations > of the LDAP protocol. These vulnerabilities exist in the code >that > translates network datagrams into application-specific >information. > > In the encoding section of the test suite, this product failed >the > group that tests the handling of invalid BER length of length > fields. > > In the application section of the test suite, this product passed > all 6685 test cases. > >Additional Information > > For the most up-to-date information regarding these vulnerabilities, > please visit the CERT/CC Vulnerability Notes Database at: > > http://www.kb.cert.org/vuls/ > > Please note that the test results summarized above should not be > interpreted as a statement of overall software quality. However, the > CERT/CC does believe that these results are useful in describing the > characteristics of these vulnerabilities. For example, an application > that fails multiple groups indicates that problems exist in different > areas of the code, rather than in a specific code segment. > >II. Impact > > VU#276944 - iPlanet Directory Server contains multiple >vulnerabilities > in LDAP handling code > > One or more of these vulnerabilities allow a remote attacker to > execute arbitrary code with the privileges of the Directory >Server. > The server typically runs with system privileges. At least one of > these vulnerabilities has been successfully exploited in a > laboratory environment under Windows NT 4.0, but they may affect > other platforms as well. > > VU#505564 - IBM SecureWay Directory is vulnerable to >denial-of-service > attacks via LDAP handling code > > These vulnerabilities allow a remote attacker to crash affected > SecureWay Directory servers, resulting in a denial-of-service > condition. It is not known at this time whether these > vulnerabilities will allow a remote attacker to execute arbitrary > code. These vulnerabilities exist on the Solaris and Windows 2000 > platforms but are not present under Windows NT, AIX, and AIX with > SSL. > > VU#583184 - Lotus Domino R5 Server Family contains multiple > vulnerabilities in LDAP handling code > > One or more of these vulnerabilities allow a remote attacker to > execute arbitrary code with the privileges of the Domino > server. The server typically runs with system privileges. At >least > one of these vulnerabilities has been successfully exploited in a > laboratory environment. > > VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP > handling code > > These vulnerabilities allow a remote attacker to crash affected > Teamware LDAP servers, resulting in a denial-of-service >condition. > They may also allow a remote attacker to execute arbitrary code > with the privileges of the Teamware server. The server typically > runs with system privileges. > > VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail > Server LDAP handling code > > The CERT/CC has not yet determined the impact of this >vulnerability. > > VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to > denial-of-service attacks > > This vulnerability allows a remote attacker to crash the LDAP > component of vulnerable Exchange 5.5 servers, resulting in a > denial-of-service condition within the LDAP component. > > VU#765256 - Network Associates PGP Keyserver contains multiple > vulnerabilities in LDAP handling code > > One or more of these vulnerabilities allow a remote attacker to > execute arbitrary code with the privileges of the Keyserver. The > server typically runs with system privileges. At least one of >these > vulnerabilities has been successfully exploited in a laboratory > environment. > > VU#869184 - Oracle 8i Enterprise Edition contains multiple > vulnerabilities in LDAP handling code > > One or more of these vulnerabilities allow a remote attacker to > execute arbitrary code with the privileges of the Oracle > server. The server typically runs with system privileges. At >least > one of these vulnerabilities has been successfully exploited in a > laboratory environment. > > VU#935800 - Multiple versions of OpenLDAP are vulnerable to > denial-of-service attacks > > These vulnerabilities allow a remote attacker to crash affected > OpenLDAP servers, resulting in a denial-of-service condition. > >III. Solution > >Apply a patch from your vendor > > Appendix A contains information provided by vendors for this >advisory. > Please consult this appendix to determine if you need to contact your > vendor directly. > >Block access to directory services at network perimeter > > As a temporary measure, it is possible to limit the scope of these > vulnerabilities by blocking access to directory services at the > network perimeter. Please note that this workaround does not protect > vulnerable products from internal attacks. > > ldap 389/tcp # Lightweight Directory Access Protocol > ldap 389/udp # Lightweight Directory Access Protocol > ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap) > ldaps 636/udp # ldap protocol over TLS/SSL (was sldap) > >Appendix A. - Vendor Information > > This appendix contains information provided by vendors for this > advisory. As vendors report new information to the CERT/CC, we will > update this section and note the changes in our revision history. If >a > particular vendor is not listed below, we have not received their > comments. > >IBM Corporation > > IBM and Tivoli are currently investigating the details of the > vulnerabilities in the various versions of the SecureWay product > family. > > Fixes are being implemented as these details become known. > > Fixes will be posted to the download sites (IBM or Tivoli) for the > affected platform. See http://www-1.ibm.com/support under "Server > Downloads" or "Software Downloads" for links to the fix distribution > sites. > >iPlanet E-Commerce Solutions > > [CERT/CC Addendum: These vulnerabilities were originally discovered >in > Directory Server 5.0 Beta and were later found to exist in versions >up > to and including version 4.13. These vulnerabilities have been > addressed in the released version of Directory Server 5.0.] > >Lotus Development Corporation > > Lotus reproduced the problem as reported by OUSPG and documented it >in > SPR#DWUU4W6NC8. > > Lotus considers security issues as top priority, so we acted quickly > to resolve the problem in a maintenance update to Domino. It was > addressed in Domino R5.0.7a, which was released on May 18th, 2001. > This release can be downloaded from Notes.net at > > http://www.notes.net/qmrdown.nsf/qmrwelcome. > > The fix is documented in the fix list at > > >http://www.notes.net/r5fixlist.nsf/Search!SearchView&Query=DWUU > 4W6NC8 > >Microsoft Corporation > > Microsoft is developing a hotfix for this issue which will be > available shortly. > > Customers can obtain this hotfix by contacting Product Support > Services at no charge and asking for Q303448 and Q303450. Information > on contacting Microsoft Product Support Services can be found at > > http://www.microsoft.com/support/ > >Network Associates, Inc. > > Network Associates has resolved these vulnerabilities in Hotfix 2 for > both Solaris and Windows NT. All Network Associates Enterprise >Support > customers have been notified and have been provided access to the > Hotfix. > > This Hotfix can be downloaded at > > http://www.pgp.com/downloads/default.asp > >The OpenLDAP Project > > [CERT/CC Addendum: To address these vulnerabilities, the OpenLDAP > Project has released OpenLDAP 1.2.12 for use in LDAPv2 environments > and OpenLDAP 2.0.8 for use in LDAPv3 environments. The CERT/CC > recommends that users of OpenLDAP contact their software vendor or > obtain the latest version, available at > http://www.openLDAP.org/software/download/.] > >QUALCOMM Incorporated > > The LDAP service in WorldMail may be vulnerable to this exploit, but > our tests so far have been inconclusive. At this time, we strongly > urge all WorldMail customers to ensure that the LDAP service is not > accessible from outside their organization nor by untrusted users. > >The Teamware Group > > An issue has been discovered with Teamware Office Enterprise >Directory > (LDAP server) that shows a abnormal termination or loop when the LDAP > server encounters a maliciously or incorrectly created LDAP request > data. > > If the maliciously formatted LDAP request data is requested, the LDAP > server may excessively copy the LDAP request data to the stack area. > > This overflow is likely to cause execution of malicious code. In >other > case, the LDAP server may go into abnormal termination or infinite > loop. > > [CERT/CC Addendum: Teamware has provided additional documentation of > these issues in their "Teamware Solution Database," available at > http://support.teamw.com/Online/s_database1.shtml. Registered users > can find information on these vulnerabilities by searching for > document #010703-0000 for Windows NT or document #010703-0001 for > Solaris.] > >Appendix B. - Supplemental Information > >The PROTOS Project > > The PROTOS project is a research partnership between the University >of > Oulu and VTT Electronics, an independent research organization owned > by the Finnish government. The project studies methods by which > protocol implementations can be tested for information security > defects. > > Although the vulnerabilities discussed in this advisory relate > specifically to the LDAP protocol, the methodology used to research, > develop, and deploy the PROTOS LDAPv3 test suite can be applied to >any > communications protocol. > > For more information on the PROTOS project and its collection of test > suites, please visit > > http://www.ee.oulu.fi/research/ouspg/protos/ > >ASN.1 and the BER > > Abstract Syntax Notation One (ASN.1) is a flexible notation that > allows one to define a variety data types. The Basic Encoding Rules > (BER) describe how to represent or encode the values of each ASN.1 > type as a string of octets. This allow programmers to encode and > decode data for platform-independent transmission over a network. > >References > > The following is a list of URLs referenced in this advisory as well >as > other useful sources of information: > > http://www.cert.org/advisories/CA-2001-18.html > http://www.ietf.org/rfc/rfc2116.txt > http://www.ietf.org/rfc/rfc2251.txt > http://www.ietf.org/rfc/rfc2252.txt > http://www.ietf.org/rfc/rfc2253.txt > http://www.ietf.org/rfc/rfc2254.txt > http://www.ietf.org/rfc/rfc2255.txt > http://www.ietf.org/rfc/rfc2256.txt > http://www.ee.oulu.fi/research/ouspg/protos/ > >http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/ > http://www.kb.cert.org/vuls/ > http://www.kb.cert.org/vuls/id/276944 > http://www.kb.cert.org/vuls/id/505564 > http://www.kb.cert.org/vuls/id/583184 > http://www.kb.cert.org/vuls/id/688960 > http://www.kb.cert.org/vuls/id/717380 > http://www.kb.cert.org/vuls/id/763400 > http://www.kb.cert.org/vuls/id/765256 > http://www.kb.cert.org/vuls/id/869184 > http://www.kb.cert.org/vuls/id/935800 > _________________________________________________________________ > > The CERT Coordination Center thanks the Oulu University Secure > Programming Group for reporting these vulnerabilities to us, for >their > detailed technical analyses, and for their assistance in preparing > this advisory. We also thank the many vendors who provided feedback > regarding their respective vulnerabilities. > _________________________________________________________________ > > Authors: Jeffrey P. Lanza and Cory F. Cohen. Feedback on this >advisory > is greatly appreciated. > >______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-2001-18.html > >______________________________________________________________________ > >CERT/CC Contact Information > > Email: cert@cert.org > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) > Monday through Friday; they are on call for emergencies during other > hours, on U.S. holidays, and on weekends. > >Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for more > information. > >Getting security information > > CERT publications and other security information are available from > our web site > > http://www.cert.org/ > > To subscribe to the CERT mailing list for advisories and bulletins, > send email to majordomo@cert.org. Please include in the body of your > message > > subscribe cert-advisory > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > >______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed >or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > _________________________________________________________________ > > Conditions for use, disclaimers, and sponsorship information > > Copyright 2001 Carnegie Mellon University. > > Revision History >Jul 16, 2001: Initial release > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 5.0i for non-commercial use >Charset: noconv > >iQCVAwUBO1O5eQYcfu8gsZJZAQGupwQAikpVVn5wK0o9Kzdl3wjFf2jEhbyr3Ngz >ycfKTYp8GfaKvKf9HzM/861WBmAkRIkChM+t9mQZ2FuH6nNMzfYRputHb3MK5w18 >8EOE/stQbV0kDgXxi078ELkvZy4tqrNhd7KXNtsFCPvwo7XTrJJFLTpCS5Nltheq >PaynurnhNrw= >=mEjW >-----END PGP SIGNATURE----- > >----- End forwarded message ----- > >-- >Ben Lutgens >Sistina Software Inc. >Kernel panic: I have no root and I want to scream -- Ben Lutgens Sistina Software Inc. Kernel panic: I have no root and I want to scream