Hey dude, I'm sorry if it get you scared, panicked etc. I was not aware of the issue wasn't present in the fast bind ldap authentication because I discovered it in my own deployment, a year ago. I used other ways to prevent it for happen here (WAF+fail2ban). I thought reasonable to write a small report about it, the way i see it could hit my own environment.
You cant deny Its a authentication issue in an authentication system, not to mention that CAS only do this, and if you really believe that there is no practical security implication, so we have nothing to talk. In time, you not talking to your customer service, and if you spent two hours to figure out if your system is vulnerable or not I think you have another problem. if you do not like the way its written, pay someone to write the security reports as you wish (or do it by yourself) and stop complaining about to do your job in a public mail list, if its not good then just quit. On Fri, Jan 23, 2015 at 12:24 AM, Paul B. Henson <hen...@csupomona.edu> wrote: > > From: J. Tozo > > Sent: Thursday, January 22, 2015 1:06 PM > > > > Its can be considered a minor weakness because it makes easier to > successfully > > You know what you don't do for a "minor weakness"? Publish a CVE with a > title including "allows remote attackers to bypass LDAP authentication via > crafted wildcards". Because you know what it means to "bypass > authentication"? It means you don't have to authenticate, and can gain > access to resources without knowing a valid username/password. Which made > it seem pretty silly to get to the middle of your posting and see " A valid > username and password required". > > Really? If I know a username and password, I can "bypass" authentication > for *that* user? Wow, that's serious 8-/. Not. > > > perpetrate a bruteforce attack. Using common passwords and guessing the > > username using the wildcards. > > Then perhaps you should've titled your CVE "allows remote attackers to > more easily bruteforce access with limited knowledge of usernames"? Of > course, given the limitation that the wildcard must match one and exactly > one user kind of limits even that vulnerability. > > > A valid username and a password is required to you simulate if you > system have > > or not this vulnerability. > > Actually, all that is required to determine whether or not your > implementation has this vulnerability is to look at your configuration and > see if you're using the FastBindLdapAuthenticationHandler or the > BindLdapAuthenticationHandler. If it's the former, you are simply not > vulnerable. Period. And even if the latter, there is no "authentication > bypass" occurring. > > > If you need to upgrade or not your server its up to you to decide! > > That's true. And you know what I would appreciate to help me decide? > Accurate vulnerability assessment and reporting. Perhaps some advanced > notice a security update is coming out. As opposed to an email delivered in > the middle of the night (at least in my time zone), which says there is a > "security fix" for CVE-2015-1169 and "You must upgrade if you use LDAP > authentication." And an artificially inflaming title for said CVE declaring > there is a "remote attacker authentication bypass" vulnerability. I had > better things to do this morning then spend two hours in a panic worried my > authentication systems were susceptible to a serious security > vulnerability. When in actuality other than your theoretical "bruteforce > more easily" issue, even if your system is "vulnerable" to this, there is > no known practical security implication thereof. And anybody using the fast > bind implementation is simply not vulnerable. > > -- > Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ > Operating Systems and Network Analyst | hen...@cpp.edu > California State Polytechnic University | Pomona CA 91768 > > > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > junior...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- Grato, Tozo -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
