Vulnerabilities > CVE-2004-0823

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
openldap
apple
nessus

Summary

OpenLDAP 1.0 through 2.1.19, as used in Apple Mac OS 10.3.4 and 10.3.5 and possibly other operating systems, may allow certain authentication schemes to use hashed (crypt) passwords in the userPassword attribute as if they were plaintext passwords, which allows remote attackers to re-use hashed passwords without decrypting them.

Vulnerable Configurations

Part Description Count
Application
Openldap
64
OS
Apple
6

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-751.NASL
    descriptionUpdated openldap and nss_ldap packages that correct a potential password disclosure issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The nss_ldap module is an extension for use with GNU libc which allows applications to, without internal modification, consult a directory service using LDAP to supplement information that would be read from local files such as /etc/passwd, /etc/group, and /etc/shadow. A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP servers. If a client connection is referred to a different server, it is possible that the referred connection will not be encrypted even if the client has
    last seen2020-06-01
    modified2020-06-02
    plugin id20044
    published2005-10-19
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/20044
    titleRHEL 2.1 / 3 : openldap and nss_ldap (RHSA-2005:751)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:751. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(20044);
      script_version ("1.24");
      script_cvs_date("Date: 2019/10/25 13:36:11");
    
      script_cve_id("CVE-2004-0823", "CVE-2005-2069");
      script_xref(name:"RHSA", value:"2005:751");
    
      script_name(english:"RHEL 2.1 / 3 : openldap and nss_ldap (RHSA-2005:751)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated openldap and nss_ldap packages that correct a potential
    password disclosure issue are now available.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
    Protocol) applications and development tools.
    
    The nss_ldap module is an extension for use with GNU libc which allows
    applications to, without internal modification, consult a directory
    service using LDAP to supplement information that would be read from
    local files such as /etc/passwd, /etc/group, and /etc/shadow.
    
    A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP
    servers. If a client connection is referred to a different server, it
    is possible that the referred connection will not be encrypted even if
    the client has 'ssl start_tls' in its ldap.conf file. The Common
    Vulnerabilities and Exposures project has assigned the name
    CVE-2005-2069 to this issue.
    
    A bug was also found in the way certain OpenLDAP authentication
    schemes store hashed passwords. A remote attacker could re-use a
    hashed password to gain access to unauthorized resources. The Common
    Vulnerabilities and Exposures project has assigned the name
    CVE-2004-0823 to this issue.
    
    All users of OpenLDAP and nss_ldap are advised to upgrade to these
    updated packages, which contain backported fixes that resolve these
    issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2004-0823"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-2069"
      );
      # http://marc.theaimsgroup.com/?l=pamldap&m=112432721728160&w=2
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=pamldap&m=112432721728160&w=2"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2005:751"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:nss_ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openldap-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openldap-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openldap-servers");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/09/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/10/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/19");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(2\.1|3)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2005:751";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"nss_ldap-189-13")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openldap-2.0.27-4.9")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openldap-clients-2.0.27-4.9")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openldap-devel-2.0.27-4.9")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openldap-servers-2.0.27-4.9")) flag++;
    
      if (rpm_check(release:"RHEL3", reference:"nss_ldap-207-17")) flag++;
      if (rpm_check(release:"RHEL3", reference:"openldap-2.0.27-20")) flag++;
      if (rpm_check(release:"RHEL3", reference:"openldap-clients-2.0.27-20")) flag++;
      if (rpm_check(release:"RHEL3", reference:"openldap-devel-2.0.27-20")) flag++;
      if (rpm_check(release:"RHEL3", reference:"openldap-servers-2.0.27-20")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nss_ldap / openldap / openldap-clients / openldap-devel / etc");
      }
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-751.NASL
    descriptionUpdated openldap and nss_ldap packages that correct a potential password disclosure issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The nss_ldap module is an extension for use with GNU libc which allows applications to, without internal modification, consult a directory service using LDAP to supplement information that would be read from local files such as /etc/passwd, /etc/group, and /etc/shadow. A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP servers. If a client connection is referred to a different server, it is possible that the referred connection will not be encrypted even if the client has
    last seen2020-06-01
    modified2020-06-02
    plugin id21852
    published2006-07-03
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21852
    titleCentOS 3 : openldap / nss_ldap (CESA-2005:751)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:751 and 
    # CentOS Errata and Security Advisory 2005:751 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(21852);
      script_version("1.16");
      script_cvs_date("Date: 2019/10/25 13:36:02");
    
      script_cve_id("CVE-2004-0823", "CVE-2005-2069");
      script_xref(name:"RHSA", value:"2005:751");
    
      script_name(english:"CentOS 3 : openldap / nss_ldap (CESA-2005:751)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated openldap and nss_ldap packages that correct a potential
    password disclosure issue are now available.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
    Protocol) applications and development tools.
    
    The nss_ldap module is an extension for use with GNU libc which allows
    applications to, without internal modification, consult a directory
    service using LDAP to supplement information that would be read from
    local files such as /etc/passwd, /etc/group, and /etc/shadow.
    
    A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP
    servers. If a client connection is referred to a different server, it
    is possible that the referred connection will not be encrypted even if
    the client has 'ssl start_tls' in its ldap.conf file. The Common
    Vulnerabilities and Exposures project has assigned the name
    CVE-2005-2069 to this issue.
    
    A bug was also found in the way certain OpenLDAP authentication
    schemes store hashed passwords. A remote attacker could re-use a
    hashed password to gain access to unauthorized resources. The Common
    Vulnerabilities and Exposures project has assigned the name
    CVE-2004-0823 to this issue.
    
    All users of OpenLDAP and nss_ldap are advised to upgrade to these
    updated packages, which contain backported fixes that resolve these
    issues."
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-October/012290.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e132cf06"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-October/012291.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?63b3ce1a"
      );
      # https://lists.centos.org/pipermail/centos-announce/2005-October/012294.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?411ceb95"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected nss_ldap and / or openldap packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:nss_ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openldap-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openldap-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openldap-servers");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/09/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/10/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-3", reference:"nss_ldap-207-17")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"openldap-2.0.27-20")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"openldap-clients-2.0.27-20")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"openldap-devel-2.0.27-20")) flag++;
    if (rpm_check(release:"CentOS-3", reference:"openldap-servers-2.0.27-20")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nss_ldap / openldap / openldap-clients / openldap-devel / etc");
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD20040907.NASL
    descriptionThe remote host is missing Security Update 2004-09-07. This security update fixes the following components : - CoreFoundation - IPSec - Kerberos - libpcap - lukemftpd - NetworkConfig - OpenLDAP - OpenSSH - PPPDialer - rsync - Safari - tcpdump These applications contain multiple vulnerabilities that may allow a remote attacker to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id14676
    published2004-09-08
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14676
    titleMac OS X Multiple Vulnerabilities (Security Update 2004-09-07)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    if ( ! defined_func("bn_random") ) exit(0);
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if(description)
    {
     script_id(14676);
     script_version ("1.25");
    
      script_cve_id("CVE-2004-0175", "CVE-2004-0183", "CVE-2004-0184", "CVE-2004-0361", "CVE-2004-0426", 
                    "CVE-2004-0488", "CVE-2004-0493", "CVE-2004-0521", "CVE-2004-0523", "CVE-2004-0607",
                    "CVE-2004-0720", "CVE-2004-0794", "CVE-2004-0821", "CVE-2004-0822", "CVE-2004-0823",
                    "CVE-2004-0824", "CVE-2004-0825");
      script_bugtraq_id(9815, 9986, 10003, 10004, 10247, 10397, 11135, 11136, 11137, 11138, 11139, 11140);
    
     script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2004-09-07)");
     script_summary(english:"Check for Security Update 2004-09-07");
     
     script_set_attribute( attribute:"synopsis", value:
    "The remote host is missing a Mac OS X update that fixes a security
    issue." );
     script_set_attribute( attribute:"description",  value:
    "The remote host is missing Security Update 2004-09-07.  This security
    update fixes the following components :
    
      - CoreFoundation
      - IPSec
      - Kerberos
      - libpcap
      - lukemftpd
      - NetworkConfig
      - OpenLDAP
      - OpenSSH
      - PPPDialer
      - rsync
      - Safari
      - tcpdump
    
    These applications contain multiple vulnerabilities that may allow
    a remote attacker to execute arbitrary code." );
     # http://web.archive.org/web/20080915104713/http://support.apple.com/kb/HT1646?
     script_set_attribute(
       attribute:"see_also",
       value:"http://www.nessus.org/u?210abeb5"
     );
     script_set_attribute(
       attribute:"solution", 
       value:"Install Security Update 2004-09-07."
     );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_cwe_id(22);
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/09/08");
     script_set_attribute(attribute:"vuln_publication_date", value: "2004/03/08");
     script_set_attribute(attribute:"patch_publication_date", value: "2004/09/08");
     script_cvs_date("Date: 2018/07/14  1:59:35");
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_family(english:"MacOS X Local Security Checks");
    
     script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
    
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/MacOSX/packages");
     exit(0);
    }
    
    
    packages = get_kb_item("Host/MacOSX/packages");
    if ( ! packages ) exit(0);
    
    uname = get_kb_item("Host/uname");
    # MacOS X 10.2.8, 10.3.4 and 10.3.5 only
    if ( egrep(pattern:"Darwin.* (6\.8\.|7\.[45]\.)", string:uname) )
    {
      if ( ! egrep(pattern:"^SecUpd(Srvr)?2004-09-07", string:packages) ) security_hole(0);
    }
    

Oval

accepted2013-04-29T04:07:54.854-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
descriptionOpenLDAP 1.0 through 2.1.19, as used in Apple Mac OS 10.3.4 and 10.3.5 and possibly other operating systems, may allow certain authentication schemes to use hashed (crypt) passwords in the userPassword attribute as if they were plaintext passwords, which allows remote attackers to re-use hashed passwords without decrypting them.
familyunix
idoval:org.mitre.oval:def:10703
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleOpenLDAP 1.0 through 2.1.19, as used in Apple Mac OS 10.3.4 and 10.3.5 and possibly other operating systems, may allow certain authentication schemes to use hashed (crypt) passwords in the userPassword attribute as if they were plaintext passwords, which allows remote attackers to re-use hashed passwords without decrypting them.
version26

Redhat

advisories
rhsa
idRHSA-2005:751
rpms
  • nss_ldap-0:207-17
  • nss_ldap-debuginfo-0:207-17
  • openldap-0:2.0.27-20
  • openldap-clients-0:2.0.27-20
  • openldap-debuginfo-0:2.0.27-20
  • openldap-devel-0:2.0.27-20
  • openldap-servers-0:2.0.27-20