Bug 105118 - (CVE-2005-2641) VUL-0: CVE-2005-2641: pam_ldap password policy vulnerability
VUL-0: CVE-2005-2641: pam_ldap password policy vulnerability
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
All SLES 9
: P5 - None : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVE-2005-2641: CVSS v2 Base Score: 7....
Depends on:
  Show dependency treegraph
Reported: 2005-08-17 09:02 UTC by Ralf Haferkamp
Modified: 2021-11-21 15:36 UTC (History)
0 users

See Also:
Found By: Third Party Developer/Partner
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Proposed fix (1.62 KB, patch)
2005-08-17 09:07 UTC, Ralf Haferkamp
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ralf Haferkamp 2005-08-17 09:02:51 UTC
This came in from Luke Howare <lukeh@padl.com>: 
When the new password policy control is in use, a DSA that returns the 
control on bind failure where there is no password policy error will cause 
pam_ldap to allow the user to logon anyway.
Comment 1 Ralf Haferkamp 2005-08-17 09:04:55 UTC
Here is some more information that came in yesterday: 
Let us know who you are: 
 Name                   : Luke Howard 
 E-mail                 : lukeh@padl.com 
 Phone / fax            : +61 3 9671 3515 / 3517 
 Affiliation and address: PADL Software Pty Ltd 
Have you reported this to the vendor?  [yes/no] Yes 
        If so, please let us know whom you've contacted: 
        Date of your report     : 08/16 
        Vendor contact name     : Luke Howard 
        Vendor contact phone    : +61 3 9671 3515 
        Vendor contact e-mail   : lukeh@padl.com 
        Vendor reference number : 
        If not, we encourage you to do so--vendors need to hear about 
        vulnerabilities from you as a customer. 
We encourage communication between vendors and their customers.  When 
we forward a report to the vendor, we include the reporter's name and 
contact information unless you let us know otherwise. 
If you want this report to remain anonymous, please check here: 
        ___ Do not release my identity to your vendor contact. 
If there is a CERT Vulnerability tracking number please put it 
here (otherwise leave blank): VU#______. 
Please describe the vulnerability. 
- ---------------------------------- 
This vulnerability was introduced in pam_ldap-169, which included 
preliminary support for draft-behera-ldap-password-policy-07.txt. 
If a pam_ldap client authenticates against an LDAP server that 
returns a passwordPolicyResponse control, but omits the optional 
"error" field of the PasswordPolicyResponseValue, then the LDAP 
authentication result will be ignored and the authentication 
step will always succeed. 
While any password policy error should be propagated to the 
account management (authorization) step, under no circumstance 
should the absence of the error field override the BindResponse 
A fix that corrects this will be available in pam_ldap-180, 
available from www.padl.com/OSS/pam_ldap.html. 
What is the impact of this vulnerability? 
- ----------------------------------------- 
 (For example: local user can gain root/privileged access, intruders 
  can create root-owned files, denial of service attack,  etc.) 
   a) What is the specific impact: 
When pam_ldap is configured against a directory server that returns 
the passwordPolicyResponse control in a BindResponse with no error 
field, any user will be allowed to logon to the local system, 
regardless of whether the underlying BindRequest succeeded. 
This behaviour is likely to occur consistently, so one would expect 
it to be noticed during the provisioning of the pam_ldap module. 
   b) How would you envision it being used in an attack scenario: 
One could exploit this by removing the error field from the encoded 
passwordPolicyResponse on the wire if integrity protection is not 
used on the underlying LDAP connection. However, this would be 
contrary to the best practices for deploying pam_ldap (integrity 
and confidentiality should be used). If integrity and confidentiality 
protection are not used, then more trivial MITM attacks exist. 
Otherwise, a competent system administrator deploying pam_ldap 
with an LDAP server that triggers this vulnerability would likely 
notice that all logons succeed during the initial configuration of 
the software. 
The only potentially dangerous exploit would be if it were 
possible for a legitimate client authentication to trigger the 
omission of the error field in the passwordPolicyResponse in a 
manner which is unlikely to be noticed by an administrator 
during the initial configuration of the software. 
To your knowledge is the vulnerability currently being exploited? 
- ----------------------------------------------------------------- 
I'm not aware of any exploits; as mentioned above, one would expect 
to have notice this during provisioning. We have only seen the 
vulnerability triggered when pam_ldap is used with the OpenLDAP 
password policy module. (The contributor of this functionality 
tested with a directory server that did not trigger the issue.) 
If there is an exploitation script available, please include it here. 
- --------------------------------------------------------------------- 
Do you know what systems and/or configurations are vulnerable? 
- -------------------------------------------------------------- 
        [yes/no]  (If yes, please list them below) 
This vulnerability applies to all versions of pam_ldap since 169, 
on all platforms (unless the underlying LDAP client library does 
not support LDAPv3 controls, in which case the functionality 
would be disabled). 
pam_ldap is shipped with popular Linux distributions, including 
Red Hat and SuSE, as well as SGI IRIX. I have no information as to 
which vendors, if any, ship versions of pam_ldap that are vulnerable. 
Comment 2 Ralf Haferkamp 2005-08-17 09:07:20 UTC
Created attachment 46248 [details]
Proposed fix

This patch contains a fix for the problem. Proposed by Luke Howard.
Comment 3 Ralf Haferkamp 2005-08-18 10:56:11 UTC
Submitted fixed package to STABLE. 
Comment 4 Sebastian Krahmer 2005-08-22 12:13:24 UTC
Ok. fix in STABLE is sufficient. closing.
Comment 5 Ludwig Nussel 2005-10-21 13:14:18 UTC
Comment 6 Thomas Biege 2009-10-13 20:41:37 UTC
CVE-2005-2641: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)