login_ldap security announcement
From: Peter Werner (peterw@ifost.org.au)
Date: 02/20/03
- Previous message: Dave Ahmad: "[saag] Of potential interest -- Citibank tries to gag crypto bug disclosure (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Feb 2003 09:09:36 +1100 From: Peter Werner <peterw@ifost.org.au> To: bugtraq@securityfocus.com
Sebastian Stark from Directory Applications for Advanced Security and
Information Management (http://www.daasi.de) has found a serious issue
with login_ldap, affecting all versions. login_ldap is a BSD
Authentication module for authenticating users off an LDAP server, and
runs on OpenBSD and BSD/OS. It is third party software, and is not
part of OpenBSD or BSD/OS.
From http://www.openldap.org/doc/admin/security.html
"An unauthenticated bind results in an anonymous authorization.
Unauthenticated bind mechanism is disabled by default, but can
be enabled by specifying "allow bind_anon_cred" in slapd.conf(5).
As a number of LDAP applications mistakenly generate
unauthenticated bind request when authenticated access was
intended (that is, they do not ensure a password was provided),
this mechanism should generally not be enabled."
In OpenLDAP 2.0.x, the following operations lead to an anonymous bind
by default:
- BIND with DN set but no password provided (bind_anon_dn)
- BIND with no DN but a password was provided (bind_anon_cred)
- BIND with no DN and no password (bind_anon)
You can disable any of those BIND methods by putting 'disallow
<feature>' into your slapd.conf where <feature> stands for the
corresponding keyword given in parentheses above.
In OpenLDAP 2.1.x all but bind_anon are disabled by default. For an
authentication service this is probably what most people want.
login_ldap has been updated to check that a password has been provided.
It is available here: http://www.ifost.org.au/~peterw/login_ldap-3.3.tar.gz
MD5 (login_ldap-3.3.tar.gz) = 52e905d54a136c3d850158f4f7548a3f
The other main change is it no longer installed setuid root, please see the
README included for more information.
I would encourage other people writing LDAP applications to check their
software for this issue. Many thanks to Sebastian for his help with this
issue, work on a suitable fix and this advisory.
Peter Werner
Feb 21, 2003
-- IFOST: http://www.ifost.org.au
- Next message: Lucas Armstrong: "PHPNuke SQL Injection"
- Previous message: Dave Ahmad: "[saag] Of potential interest -- Citibank tries to gag crypto bug disclosure (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
