-----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-18 Multiple Vulnerabilities in Several Implementations of the Lightweight Directory Access Protocol (LDAP) Original release date: July 16, 2001 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * iPlanet Directory Server, version 5.0 Beta and versions up to and including 4.13 * Certain versions of IBM SecureWay running under Solaris and Windows 2000 * Lotus Domino R5 Servers (Enterprise, Application, and Mail), prior to 5.0.7a * Teamware Office for Windows NT and Solaris, prior to version 5.3ed1 * Qualcomm Eudora WorldMail for Windows NT, version 2 * Microsoft Exchange 5.5 LDAP Service (Hotfix pending) * Network Associates PGP Keyserver 7.0, prior to Hotfix 2 * Oracle 8i Enterprise Edition * OpenLDAP, 1.x prior to 1.2.12 and 2.x prior to 2.0.8 Overview Several implementations of the Lightweight Directory Access Protocol (LDAP) protocol contain vulnerabilities that may allow denial-of-service attacks, unauthorized privileged access, or both. If your site uses any of the products listed in this advisory, the CERT/CC encourages you to follow the advice provided in the Solution section below. I. Description The LDAP protocol provides access to directories that support the X.500 directory semantics without requiring the additional resources of X.500. A directory is a collection of information such as names, addresses, access control lists, and cryptographic certificates. Because LDAP servers are widely used in maintaining corporate contact information and providing authentication services, any threats to their integrity or stability can jeopardize the security of an organization. To test the security of protocols like LDAP, the PROTOS project presents a server with a wide variety of sample packets containing unexpected values or illegally formatted data. This approach may reveal vulnerabilities that would not manifest themselves under normal conditions. As a member of the PROTOS project consortium, the Oulu University Secure Programming Group (OUSPG) co-developed and subsequently used the PROTOS LDAPv3 test suite to study several implementations of the LDAP protocol. The PROTOS LDAPv3 test suite is divided into two main sections: the "Encoding" section, which tests an LDAP server's response to packets that violate the Basic Encoding Rules (BER), and the "Application" section, which tests an LDAP server's response to packets that trigger LDAP-specific application anomalies. Each section is further divided into "groups" that collectively exercise a particular encoding or application feature. Finally, each group contains one or more "test cases," which represent the network packets that are used to test individual exceptional conditions. By applying the PROTOS LDAPv3 test suite to a variety of popular LDAP-enabled products, the OUSPG revealed the following vulnerabilities: VU#276944 - iPlanet Directory Server contains multiple vulnerabilities in LDAP handling code The iPlanet Directory Server contains multiple vulnerabilities in the code that processes LDAP requests. In the encoding section of the test suite, this product had an indeterminate number of failures in the group that tests invalid BER length of length fields. In the application section of the test suite, this product failed four groups and had inconclusive results for an additional five groups. The four failed groups indicate the presence of buffer overflow vulnerabilities. For the inconclusive groups, the product exhibited suspicious behavior while testing for format string vulnerabilities. VU#505564 - IBM SecureWay Directory is vulnerable to denial-of-service attacks via LDAP handling code The IBM SecureWay Directory server contains one or more vulnerabilities in the code that processes LDAP requests. These vulnerabilities were discovered independently by IBM using the PROTOS LDAPv3 test suite. The CERT/CC is not currently aware of the nature of these vulnerabilities. VU#583184 - Lotus Domino R5 Server Family contains multiple vulnerabilities in LDAP handling code The Lotus Domino R5 Server Family (including the Enterprise, Application, and Mail servers) contains multiple vulnerabilities in the code that processes LDAP requests. In the encoding section of the test suite, this product failed 1 of 77 groups. The failed group tests a server's response to miscellaneous packets with semi-valid BER encodings. In the application section of the test suite, this product failed 23 of 77 groups. These results suggest that both buffer overflow and format string vulnerabilities are likely to be present in a variety of application components. VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP handling code The Teamware Office suite is packaged with a combination X.500/LDAP server that provides directory services. Multiple versions of the Office product contain vulnerabilities that cause the LDAP server to crash in response to traffic sent by the PROTOS LDAPv3 test suite. In the encoding section of the test suite, this product failed 9 of 16 groups involving invalid encodings for several BER object types. In the application section of the test suite, this product failed 4 of 32 groups. The remaining 45 groups were not exercised during the test runs. The four failed groups indicate the presence of buffer overflow vulnerabilities. VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail Server LDAP handling code While investigating the vulnerabilities reported by OUSPG, it was brought to our attention that the Eudora WorldMail Server may contain vulnerabilities that can be triggered via the PROTOS test suite. The CERT/CC has reported this possibility to Qualcomm and an investigation is pending. VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to denial-of-service attacks The Microsoft Exchange 5.5 LDAP Service contains a vulnerability that causes the LDAP server to freeze in response to malformed LDAP requests generated by the PROTOS test suite. This only affects the LDAP service; all other Exchange services, including mail handling, continue normally. Although this product was not included in OUSPG's initial testing, subsequent informal testing revealed that the LDAP service of the Microsoft Exchange 5.5 became unresponsive while processing test cases containing exceptional BER encodings for the LDAP filter type field. VU#765256 - Network Associates PGP Keyserver contains multiple vulnerabilities in LDAP handling code The Network Associates PGP Keyserver 7.0 contains multiple vulnerabilities in the code that processes LDAP requests. In the encoding section of the test suite, this product failed 12 of 16 groups. In the application section of the test suite, this product failed 1 of 77 groups. The failed group focused on out-of-bounds integer values for the messageID parameter. Due to a peculiarity of this test group, this failure may actually represent an encoding failure. VU#869184 - Oracle 8i Enterprise Edition contains multiple vulnerabilities in LDAP handling code The Oracle 8i Enterprise Edition server contains multiple vulnerabilities in the code used to process LDAP requests. In the encoding section of the test suite, this product failed an indeterminate number of test cases in the group that tests a server's response to invalid encodings of BER OBJECT-IDENTIFIER values. In the application section of the test suite, this product failed 46 of 77 groups. These results suggest that both buffer overflow and format string vulnerabilities are likely to be present in a variety of application components. VU#935800 - Multiple versions of OpenLDAP are vulnerable to denial-of-service attacks There are multiple vulnerabilities in the OpenLDAP implementations of the LDAP protocol. These vulnerabilities exist in the code that translates network datagrams into application-specific information. In the encoding section of the test suite, this product failed the group that tests the handling of invalid BER length of length fields. In the application section of the test suite, this product passed all 6685 test cases. Additional Information For the most up-to-date information regarding these vulnerabilities, please visit the CERT/CC Vulnerability Notes Database at: http://www.kb.cert.org/vuls/ Please note that the test results summarized above should not be interpreted as a statement of overall software quality. However, the CERT/CC does believe that these results are useful in describing the characteristics of these vulnerabilities. For example, an application that fails multiple groups indicates that problems exist in different areas of the code, rather than in a specific code segment. II. Impact VU#276944 - iPlanet Directory Server contains multiple vulnerabilities in LDAP handling code One or more of these vulnerabilities allow a remote attacker to execute arbitrary code with the privileges of the Directory Server. The server typically runs with system privileges. At least one of these vulnerabilities has been successfully exploited in a laboratory environment under Windows NT 4.0, but they may affect other platforms as well. VU#505564 - IBM SecureWay Directory is vulnerable to denial-of-service attacks via LDAP handling code These vulnerabilities allow a remote attacker to crash affected SecureWay Directory servers, resulting in a denial-of-service condition. It is not known at this time whether these vulnerabilities will allow a remote attacker to execute arbitrary code. These vulnerabilities exist on the Solaris and Windows 2000 platforms but are not present under Windows NT, AIX, and AIX with SSL. VU#583184 - Lotus Domino R5 Server Family contains multiple vulnerabilities in LDAP handling code One or more of these vulnerabilities allow a remote attacker to execute arbitrary code with the privileges of the Domino server. The server typically runs with system privileges. At least one of these vulnerabilities has been successfully exploited in a laboratory environment. VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP handling code These vulnerabilities allow a remote attacker to crash affected Teamware LDAP servers, resulting in a denial-of-service condition. They may also allow a remote attacker to execute arbitrary code with the privileges of the Teamware server. The server typically runs with system privileges. VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail Server LDAP handling code The CERT/CC has not yet determined the impact of this vulnerability. VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to denial-of-service attacks This vulnerability allows a remote attacker to crash the LDAP component of vulnerable Exchange 5.5 servers, resulting in a denial-of-service condition within the LDAP component. VU#765256 - Network Associates PGP Keyserver contains multiple vulnerabilities in LDAP handling code One or more of these vulnerabilities allow a remote attacker to execute arbitrary code with the privileges of the Keyserver. The server typically runs with system privileges. At least one of these vulnerabilities has been successfully exploited in a laboratory environment. VU#869184 - Oracle 8i Enterprise Edition contains multiple vulnerabilities in LDAP handling code One or more of these vulnerabilities allow a remote attacker to execute arbitrary code with the privileges of the Oracle server. The server typically runs with system privileges. At least one of these vulnerabilities has been successfully exploited in a laboratory environment. VU#935800 - Multiple versions of OpenLDAP are vulnerable to denial-of-service attacks These vulnerabilities allow a remote attacker to crash affected OpenLDAP servers, resulting in a denial-of-service condition. III. Solution Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. Please consult this appendix to determine if you need to contact your vendor directly. Block access to directory services at network perimeter As a temporary measure, it is possible to limit the scope of these vulnerabilities by blocking access to directory services at the network perimeter. Please note that this workaround does not protect vulnerable products from internal attacks. ldap 389/tcp # Lightweight Directory Access Protocol ldap 389/udp # Lightweight Directory Access Protocol ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap) ldaps 636/udp # ldap protocol over TLS/SSL (was sldap) Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. IBM Corporation IBM and Tivoli are currently investigating the details of the vulnerabilities in the various versions of the SecureWay product family. Fixes are being implemented as these details become known. Fixes will be posted to the download sites (IBM or Tivoli) for the affected platform. See http://www-1.ibm.com/support under "Server Downloads" or "Software Downloads" for links to the fix distribution sites. iPlanet E-Commerce Solutions [CERT/CC Addendum: These vulnerabilities were originally discovered in Directory Server 5.0 Beta and were later found to exist in versions up to and including version 4.13. These vulnerabilities have been addressed in the released version of Directory Server 5.0.] Lotus Development Corporation Lotus reproduced the problem as reported by OUSPG and documented it in SPR#DWUU4W6NC8. Lotus considers security issues as top priority, so we acted quickly to resolve the problem in a maintenance update to Domino. It was addressed in Domino R5.0.7a, which was released on May 18th, 2001. This release can be downloaded from Notes.net at http://www.notes.net/qmrdown.nsf/qmrwelcome. The fix is documented in the fix list at http://www.notes.net/r5fixlist.nsf/Search!SearchView&Query=DWUU 4W6NC8 Microsoft Corporation Microsoft is developing a hotfix for this issue which will be available shortly. Customers can obtain this hotfix by contacting Product Support Services at no charge and asking for Q303448 and Q303450. Information on contacting Microsoft Product Support Services can be found at http://www.microsoft.com/support/ Network Associates, Inc. Network Associates has resolved these vulnerabilities in Hotfix 2 for both Solaris and Windows NT. All Network Associates Enterprise Support customers have been notified and have been provided access to the Hotfix. This Hotfix can be downloaded at http://www.pgp.com/downloads/default.asp The OpenLDAP Project [CERT/CC Addendum: To address these vulnerabilities, the OpenLDAP Project has released OpenLDAP 1.2.12 for use in LDAPv2 environments and OpenLDAP 2.0.8 for use in LDAPv3 environments. The CERT/CC recommends that users of OpenLDAP contact their software vendor or obtain the latest version, available at http://www.openLDAP.org/software/download/.] QUALCOMM Incorporated The LDAP service in WorldMail may be vulnerable to this exploit, but our tests so far have been inconclusive. At this time, we strongly urge all WorldMail customers to ensure that the LDAP service is not accessible from outside their organization nor by untrusted users. The Teamware Group An issue has been discovered with Teamware Office Enterprise Directory (LDAP server) that shows a abnormal termination or loop when the LDAP server encounters a maliciously or incorrectly created LDAP request data. If the maliciously formatted LDAP request data is requested, the LDAP server may excessively copy the LDAP request data to the stack area. This overflow is likely to cause execution of malicious code. In other case, the LDAP server may go into abnormal termination or infinite loop. [CERT/CC Addendum: Teamware has provided additional documentation of these issues in their "Teamware Solution Database," available at http://support.teamw.com/Online/s_database1.shtml. Registered users can find information on these vulnerabilities by searching for document #010703-0000 for Windows NT or document #010703-0001 for Solaris.] Appendix B. - Supplemental Information The PROTOS Project The PROTOS project is a research partnership between the University of Oulu and VTT Electronics, an independent research organization owned by the Finnish government. The project studies methods by which protocol implementations can be tested for information security defects. Although the vulnerabilities discussed in this advisory relate specifically to the LDAP protocol, the methodology used to research, develop, and deploy the PROTOS LDAPv3 test suite can be applied to any communications protocol. For more information on the PROTOS project and its collection of test suites, please visit http://www.ee.oulu.fi/research/ouspg/protos/ ASN.1 and the BER Abstract Syntax Notation One (ASN.1) is a flexible notation that allows one to define a variety data types. The Basic Encoding Rules (BER) describe how to represent or encode the values of each ASN.1 type as a string of octets. This allow programmers to encode and decode data for platform-independent transmission over a network. References The following is a list of URLs referenced in this advisory as well as other useful sources of information: http://www.cert.org/advisories/CA-2001-18.html http://www.ietf.org/rfc/rfc2116.txt http://www.ietf.org/rfc/rfc2251.txt http://www.ietf.org/rfc/rfc2252.txt http://www.ietf.org/rfc/rfc2253.txt http://www.ietf.org/rfc/rfc2254.txt http://www.ietf.org/rfc/rfc2255.txt http://www.ietf.org/rfc/rfc2256.txt http://www.ee.oulu.fi/research/ouspg/protos/ http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/ http://www.kb.cert.org/vuls/ http://www.kb.cert.org/vuls/id/276944 http://www.kb.cert.org/vuls/id/505564 http://www.kb.cert.org/vuls/id/583184 http://www.kb.cert.org/vuls/id/688960 http://www.kb.cert.org/vuls/id/717380 http://www.kb.cert.org/vuls/id/763400 http://www.kb.cert.org/vuls/id/765256 http://www.kb.cert.org/vuls/id/869184 http://www.kb.cert.org/vuls/id/935800 _________________________________________________________________ The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities to us, for their detailed technical analyses, and for their assistance in preparing this advisory. We also thank the many vendors who provided feedback regarding their respective vulnerabilities. _________________________________________________________________ Authors: Jeffrey P. Lanza and Cory F. Cohen. Feedback on this advisory is greatly appreciated. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-18.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History Jul 16, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO1O5eQYcfu8gsZJZAQGupwQAikpVVn5wK0o9Kzdl3wjFf2jEhbyr3Ngz ycfKTYp8GfaKvKf9HzM/861WBmAkRIkChM+t9mQZ2FuH6nNMzfYRputHb3MK5w18 8EOE/stQbV0kDgXxi078ELkvZy4tqrNhd7KXNtsFCPvwo7XTrJJFLTpCS5Nltheq PaynurnhNrw= =mEjW -----END PGP SIGNATURE-----