Vulnerabilities > CVE-2005-2069 - Cleartext Transmission of Sensitive Information vulnerability in Padl NSS Ldap and PAM Ldap
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
pam_ldap and nss_ldap, when used with OpenLDAP and connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which may cause a password to be sent in cleartext and allows remote attackers to sniff the password.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 | |
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Session Sidejacking Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Harvesting Usernames or UserIDs via Application API Event Monitoring An attacker hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the attacker creating an event within the sub-application. Assume the attacker hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via MITM proxy the user_ids and usernames of everyone who attends. The attacker would then be able to spam those users within the application using an automated script.
- Signature Spoofing by Mixing Signed and Unsigned Content An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data.
- Passively Sniff and Capture Application Code Bound for Authorized Client Attackers can capture application code bound for the client and can use it, as-is or through reverse-engineering, to glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-767.NASL description Updated openldap and nss_ldap packages that correct a potential password disclosure issue and possible authentication vulnerability are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The nss_ldap module is an extension for use with GNU libc which allows applications to, without internal modification, consult a directory service using LDAP to supplement information that would be read from local files such as /etc/passwd, /etc/group, and /etc/shadow. A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP servers. If a client connection is referred to a different server, it is possible that the referred connection will not be encrypted even if the client has last seen 2020-06-01 modified 2020-06-02 plugin id 20046 published 2005-10-19 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20046 title RHEL 4 : openldap and nss_ldap (RHSA-2005:767) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:767. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(20046); script_version ("1.25"); script_cvs_date("Date: 2019/10/25 13:36:11"); script_cve_id("CVE-2005-2069", "CVE-2005-2641"); script_bugtraq_id(14125, 14126); script_xref(name:"RHSA", value:"2005:767"); script_name(english:"RHEL 4 : openldap and nss_ldap (RHSA-2005:767)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openldap and nss_ldap packages that correct a potential password disclosure issue and possible authentication vulnerability are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The nss_ldap module is an extension for use with GNU libc which allows applications to, without internal modification, consult a directory service using LDAP to supplement information that would be read from local files such as /etc/passwd, /etc/group, and /etc/shadow. A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP servers. If a client connection is referred to a different server, it is possible that the referred connection will not be encrypted even if the client has 'ssl start_tls' in its ldap.conf file. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2069 to this issue. A bug was found in the way the pam_ldap module processed certain failure messages. If the server includes supplemental data in an authentication failure result message, but the data does not include any specific error code, the pam_ldap module would proceed as if the authentication request had succeeded, and authentication would succeed. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2641 to this issue. Additionally the following issues are corrected in this erratum. - The OpenLDAP upgrading documentation has been updated. - Fix a database deadlock locking issue. - A fix where slaptest segfaults on exit after successful check. - The library libslapd_db-4.2.so is now located in an architecture-dependent directory. - The LDAP client no longer enters an infinite loop when the server returns a reference to itself. - The pam_ldap module adds the ability to check user passwords using a directory server to PAM-aware applications. - The directory server can now include supplemental information regarding the state of the user's account if a client indicates that it supports such a feature. All users of OpenLDAP and nss_ldap are advised to upgrade to these updated packages, which contain backported fixes that resolve these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-2069" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-2641" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2005:767" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:compat-openldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:nss_ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openldap-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openldap-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openldap-servers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openldap-servers-sql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/30"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/19"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2005:767"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL4", reference:"compat-openldap-2.1.30-4")) flag++; if (rpm_check(release:"RHEL4", reference:"nss_ldap-226-10")) flag++; if (rpm_check(release:"RHEL4", reference:"openldap-2.2.13-4")) flag++; if (rpm_check(release:"RHEL4", reference:"openldap-clients-2.2.13-4")) flag++; if (rpm_check(release:"RHEL4", reference:"openldap-devel-2.2.13-4")) flag++; if (rpm_check(release:"RHEL4", reference:"openldap-servers-2.2.13-4")) flag++; if (rpm_check(release:"RHEL4", reference:"openldap-servers-sql-2.2.13-4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "compat-openldap / nss_ldap / openldap / openldap-clients / etc"); } }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-751.NASL description Updated openldap and nss_ldap packages that correct a potential password disclosure issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The nss_ldap module is an extension for use with GNU libc which allows applications to, without internal modification, consult a directory service using LDAP to supplement information that would be read from local files such as /etc/passwd, /etc/group, and /etc/shadow. A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP servers. If a client connection is referred to a different server, it is possible that the referred connection will not be encrypted even if the client has last seen 2020-06-01 modified 2020-06-02 plugin id 20044 published 2005-10-19 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20044 title RHEL 2.1 / 3 : openldap and nss_ldap (RHSA-2005:751) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:751. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(20044); script_version ("1.24"); script_cvs_date("Date: 2019/10/25 13:36:11"); script_cve_id("CVE-2004-0823", "CVE-2005-2069"); script_xref(name:"RHSA", value:"2005:751"); script_name(english:"RHEL 2.1 / 3 : openldap and nss_ldap (RHSA-2005:751)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openldap and nss_ldap packages that correct a potential password disclosure issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The nss_ldap module is an extension for use with GNU libc which allows applications to, without internal modification, consult a directory service using LDAP to supplement information that would be read from local files such as /etc/passwd, /etc/group, and /etc/shadow. A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP servers. If a client connection is referred to a different server, it is possible that the referred connection will not be encrypted even if the client has 'ssl start_tls' in its ldap.conf file. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2069 to this issue. A bug was also found in the way certain OpenLDAP authentication schemes store hashed passwords. A remote attacker could re-use a hashed password to gain access to unauthorized resources. The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-0823 to this issue. All users of OpenLDAP and nss_ldap are advised to upgrade to these updated packages, which contain backported fixes that resolve these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0823" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-2069" ); # http://marc.theaimsgroup.com/?l=pamldap&m=112432721728160&w=2 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=pamldap&m=112432721728160&w=2" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2005:751" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:nss_ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openldap-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openldap-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openldap-servers"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/09/07"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/19"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(2\.1|3)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2005:751"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"nss_ldap-189-13")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openldap-2.0.27-4.9")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openldap-clients-2.0.27-4.9")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openldap-devel-2.0.27-4.9")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"openldap-servers-2.0.27-4.9")) flag++; if (rpm_check(release:"RHEL3", reference:"nss_ldap-207-17")) flag++; if (rpm_check(release:"RHEL3", reference:"openldap-2.0.27-20")) flag++; if (rpm_check(release:"RHEL3", reference:"openldap-clients-2.0.27-20")) flag++; if (rpm_check(release:"RHEL3", reference:"openldap-devel-2.0.27-20")) flag++; if (rpm_check(release:"RHEL3", reference:"openldap-servers-2.0.27-20")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nss_ldap / openldap / openldap-clients / openldap-devel / etc"); } }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-751.NASL description Updated openldap and nss_ldap packages that correct a potential password disclosure issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The nss_ldap module is an extension for use with GNU libc which allows applications to, without internal modification, consult a directory service using LDAP to supplement information that would be read from local files such as /etc/passwd, /etc/group, and /etc/shadow. A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP servers. If a client connection is referred to a different server, it is possible that the referred connection will not be encrypted even if the client has last seen 2020-06-01 modified 2020-06-02 plugin id 21852 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21852 title CentOS 3 : openldap / nss_ldap (CESA-2005:751) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:751 and # CentOS Errata and Security Advisory 2005:751 respectively. # include("compat.inc"); if (description) { script_id(21852); script_version("1.16"); script_cvs_date("Date: 2019/10/25 13:36:02"); script_cve_id("CVE-2004-0823", "CVE-2005-2069"); script_xref(name:"RHSA", value:"2005:751"); script_name(english:"CentOS 3 : openldap / nss_ldap (CESA-2005:751)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated openldap and nss_ldap packages that correct a potential password disclosure issue are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The nss_ldap module is an extension for use with GNU libc which allows applications to, without internal modification, consult a directory service using LDAP to supplement information that would be read from local files such as /etc/passwd, /etc/group, and /etc/shadow. A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP servers. If a client connection is referred to a different server, it is possible that the referred connection will not be encrypted even if the client has 'ssl start_tls' in its ldap.conf file. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-2069 to this issue. A bug was also found in the way certain OpenLDAP authentication schemes store hashed passwords. A remote attacker could re-use a hashed password to gain access to unauthorized resources. The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-0823 to this issue. All users of OpenLDAP and nss_ldap are advised to upgrade to these updated packages, which contain backported fixes that resolve these issues." ); # https://lists.centos.org/pipermail/centos-announce/2005-October/012290.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e132cf06" ); # https://lists.centos.org/pipermail/centos-announce/2005-October/012291.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?63b3ce1a" ); # https://lists.centos.org/pipermail/centos-announce/2005-October/012294.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?411ceb95" ); script_set_attribute( attribute:"solution", value:"Update the affected nss_ldap and / or openldap packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:nss_ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openldap-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openldap-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:openldap-servers"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:3"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/09/07"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 3.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-3", reference:"nss_ldap-207-17")) flag++; if (rpm_check(release:"CentOS-3", reference:"openldap-2.0.27-20")) flag++; if (rpm_check(release:"CentOS-3", reference:"openldap-clients-2.0.27-20")) flag++; if (rpm_check(release:"CentOS-3", reference:"openldap-devel-2.0.27-20")) flag++; if (rpm_check(release:"CentOS-3", reference:"openldap-servers-2.0.27-20")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nss_ldap / openldap / openldap-clients / openldap-devel / etc"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-785.NASL description It has been discovered that libpam-ldap, the Pluggable Authentication Module allowing LDAP interfaces, ignores the result of an attempt to authenticate against an LDAP server that does not set an optional data field. last seen 2020-06-01 modified 2020-06-02 plugin id 19528 published 2005-08-30 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19528 title Debian DSA-785-1 : libpam-ldap - authentication bypass code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-785. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(19528); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2005-2069", "CVE-2005-2641"); script_xref(name:"CERT", value:"778916"); script_xref(name:"DSA", value:"785"); script_name(english:"Debian DSA-785-1 : libpam-ldap - authentication bypass"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It has been discovered that libpam-ldap, the Pluggable Authentication Module allowing LDAP interfaces, ignores the result of an attempt to authenticate against an LDAP server that does not set an optional data field." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-785" ); script_set_attribute( attribute:"solution", value: "Upgrade the libpam-ldap package. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 178-1sarge1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libpam-ldap"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/08/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/08/30"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"libpam-ldap", reference:"178-1sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-767.NASL description Updated openldap and nss_ldap packages that correct a potential password disclosure issue and possible authentication vulnerability are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The nss_ldap module is an extension for use with GNU libc which allows applications to, without internal modification, consult a directory service using LDAP to supplement information that would be read from local files such as /etc/passwd, /etc/group, and /etc/shadow. A bug was found in the way OpenLDAP, nss_ldap, and pam_ldap refer LDAP servers. If a client connection is referred to a different server, it is possible that the referred connection will not be encrypted even if the client has last seen 2020-06-01 modified 2020-06-02 plugin id 21961 published 2006-07-05 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21961 title CentOS 4 : openldap / nss_ldap (CESA-2005:767) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-121.NASL description Rob Holland, of the Gentoo Security Audit Team, discovered that pam_ldap and nss_ldap would not use TLS for referred connections if they are referred to a master after connecting to a slave, regardless of the last seen 2020-06-01 modified 2020-06-02 plugin id 19226 published 2005-07-19 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19226 title Mandrake Linux Security Advisory : nss_ldap (MDKSA-2005:121) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200507-13.NASL description The remote host is affected by the vulnerability described in GLSA-200507-13 (pam_ldap and nss_ldap: Plain text authentication leak) Rob Holland of the Gentoo Security Audit Team discovered that pam_ldap and nss_ldap fail to use TLS for referred connections if they are referred to a master after connecting to a slave, regardless of the last seen 2020-06-01 modified 2020-06-02 plugin id 19200 published 2005-07-14 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19200 title GLSA-200507-13 : pam_ldap and nss_ldap: Plain text authentication leak NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-152-1.NASL description Andrea Barisani discovered a flaw in the SSL handling of pam-ldap and libnss-ldap. When a client connected to a slave LDAP server using SSL, the slave server did not use SSL as well when contacting the LDAP master server. This caused passwords and other confident information to be transmitted unencrypted between the slave and the master. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20553 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20553 title Ubuntu 4.10 / 5.04 : openldap2, libpam-ldap, libnss-ldap vulnerabilities (USN-152-1)
Oval
| accepted | 2013-04-29T04:19:27.229-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | pam_ldap and nss_ldap, when used with OpenLDAP and connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which may cause a password to be sent in cleartext and allows remote attackers to sniff the password. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:9445 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | pam_ldap and nss_ldap, when used with OpenLDAP and connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which may cause a password to be sent in cleartext and allows remote attackers to sniff the password. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||
| rpms |
|
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-03-14 |
| organization | Red Hat |
| statement | Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. |
References
- http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0060.html
- http://bugs.gentoo.org/show_bug.cgi?id=96767
- http://bugzilla.padl.com/show_bug.cgi?id=210
- http://bugzilla.padl.com/show_bug.cgi?id=211
- http://secunia.com/advisories/17233
- http://secunia.com/advisories/17845
- http://secunia.com/advisories/21520
- http://support.avaya.com/elmodocs2/security/ASA-2006-157.htm
- http://www.gentoo.org/security/en/glsa/glsa-200507-13.xml
- http://www.openldap.org/its/index.cgi/Incoming?id=3791
- http://www.osvdb.org/17692
- http://www.redhat.com/support/errata/RHSA-2005-751.html
- http://www.redhat.com/support/errata/RHSA-2005-767.html
- http://www.securityfocus.com/bid/14125
- http://www.securityfocus.com/bid/14126
- http://www.ubuntu.com/usn/usn-152-1
- http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2005:121
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161990
- https://exchange.xforce.ibmcloud.com/vulnerabilities/21245
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9445