LDAP over SSL
Created 7/3/01
CVE 2001-0502
Impact
A remote attacker could take control of a domain
administrator's account, thereby gaining administrative
privileges.
Background
A directory service
is used to keep track of network entities such as files,
applications, printers, and users. The Lightweight Directory Access Protocol
(LDAP)
is one protocol which can be used to access directory services.
LDAP requests can take place either through
unsecured sessions or through Secure Socket Layer (SSL) sessions.
In an SSL session, integrity and confidentiality are
guaranteed by digital certificates and encryption.
The Problems
LDAP on Windows 2000 includes a function
which allows a domain user to change attributes of
a directory principal. This function contains an error
which could allow any domain user to change any other
user's domain password. A remote attacker could exploit
the situation by using the anonymous account to change
a domain administrator's password, and then logging into
that account, thereby gaining administrative privileges
on the domain.
This vulnerability can only be exploited on Windows 2000
systems which have LDAP over SSL
enabled. LDAP over SSL can only be enabled if a digital certificate has
been deliberately placed on the server. It is not enabled by default.
Resolution
Apply the patch referenced in
Microsoft
Security Bulletin 01-036.
Where can I read more about this?
For more information, see
Microsoft
Security Bulletin 01-036.