Tutorial - LDAP vulnerabilities

LDAP vulnerabilities

Updated 3/18/03

Impact

If an application uses a vulnerable implementation of LDAP, an attacker could cause a denial of service or execute arbitrary commands.

Background

A directory service is used to keep track of network entities such as files, applications, printers, and users. The Lightweight Directory Access Protocol (LDAP) is one protocol which can be used to access directory services. Many applications, such as mail servers, enterprise servers, and databases, use LDAP to provide directory access while conserving resources.

The Problem

7/19/01
Many implementations of the LDAP protocol do not properly handle requests which do not adhere to the expected format. Among the problems which may be present are buffer overflow conditions, format string vulnerabilities, and mishandling of requests which violate encoding rules. Exploitation of these problems could lead to denial of service or unauthorized access.

The following applications contain an implementation of LDAP which contains such vulnerabilities if unpatched:

iPlanet Directory Server version 5.0 Beta and versions up to and including 4.13 (CAN 2001-1306 CAN 2001-1307 CAN 2001-1308)
IBM SecureWay, certain versions running under Solaris and Windows 2000 (CAN 2001-1309 CAN 2001-1310)
Lotus Domino Servers (Enterprise, Application, and Mail), R5 prior to 5.0.7a and (3/18/03) R6 prior to 6.0 Gold (CAN 2001-1311 CAN 2001-1312 CAN 2001-1313)
Critical Path LiveContent Directory, version 8A.3 (CAN 2001-1314 CAN 2001-1315)
Critical Path InJoin Directory Server, versions 3.0, 3.1, and 4.0 (CAN 2001-1314 CAN 2001-1315)
Teamware Office for Windows NT and Solaris, prior to version 5.3ed1 (CAN 2001-1316 CAN 2001-1317)
Qualcomm Eudora WorldMail for Windows NT, version 2 (CAN 2001-1318)
Microsoft Exchange 5.5 LDAP Service (Hotfix pending) (CAN 2001-1319)
Network Associates PGP Keyserver 7.0, prior to Hotfix 2 (CAN 2001-1320)
Oracle Internet Directory, versions 2.1.1.x and 3.0.1 (CAN 2001-0974 CAN 2001-0975 CAN 2001-1321)
OpenLDAP
- Version 1.x prior to 1.2.12 and 2.x prior to 2.0.8 (CVE 2001-0977)
- 12/13/02 Additional vulnerabilities in version 2.x prior to 2.1.9 (CAN 2002-1378 CAN 2002-1379)

Resolution

See CERT Advisory 2001-18 for information on obtaining a patch for your application. OpenLDAP 2.x users may also need to fix a separate set of vulnerabilities which were reported in SuSE Security Announcement 2002:047. Consult your vendor for a fix.

If a patch is not available, then ports 389 and 636, TCP and UDP, should be blocked at the network perimeter until a patch can be applied.

Where can I read more about this?

For more information, see CERT Advisory 2001-18 and SuSE Security Announcement 2002:047.