Euclides, esta é para você.
Fábio.
----- Original Message -----
From: Steve <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 17, 2001 10:32
Subject: CERT Advisory CA-2001-18
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2001-18 Multiple Vulnerabilities in Several
> Implementations of the Lightweight Directory Access Protocol (LDAP)
>
> Original release date: July 16, 2001
> Last revised: --
> Source: CERT/CC
>
> A complete revision history can be found at the end of this file.
>
> Systems Affected
>
> * iPlanet Directory Server, version 5.0 Beta and versions up to and
> including 4.13
> * Certain versions of IBM SecureWay running under Solaris and
> Windows 2000
> * Lotus Domino R5 Servers (Enterprise, Application, and Mail),
> prior
> to 5.0.7a
> * Teamware Office for Windows NT and Solaris, prior to version
> 5.3ed1
> * Qualcomm Eudora WorldMail for Windows NT, version 2
> * Microsoft Exchange 5.5 LDAP Service (Hotfix pending)
> * Network Associates PGP Keyserver 7.0, prior to Hotfix 2
> * Oracle 8i Enterprise Edition
> * OpenLDAP, 1.x prior to 1.2.12 and 2.x prior to 2.0.8
>
> Overview
>
> Several implementations of the Lightweight Directory Access Protocol
> (LDAP) protocol contain vulnerabilities that may allow
> denial-of-service attacks, unauthorized privileged access, or both.
> If
> your site uses any of the products listed in this advisory, the
> CERT/CC
> encourages you to follow the advice provided in the Solution section
> below.
>
> I. Description
>
> The LDAP protocol provides access to directories that support the
> X.500
> directory semantics without requiring the additional resources of
> X.500. A directory is a collection of information such as names,
> addresses, access control lists, and cryptographic certificates.
> Because LDAP servers are widely used in maintaining corporate contact
> information and providing authentication services, any threats to
> their
> integrity or stability can jeopardize the security of an
> organization.
>
> To test the security of protocols like LDAP, the PROTOS project
> presents a server with a wide variety of sample packets containing
> unexpected values or illegally formatted data. This approach may
> reveal
> vulnerabilities that would not manifest themselves under normal
> conditions. As a member of the PROTOS project consortium, the Oulu
> University Secure Programming Group (OUSPG) co-developed and
> subsequently used the PROTOS LDAPv3 test suite to study several
> implementations of the LDAP protocol.
>
> The PROTOS LDAPv3 test suite is divided into two main sections: the
> "Encoding" section, which tests an LDAP server's response to packets
> that violate the Basic Encoding Rules (BER), and the "Application"
> section, which tests an LDAP server's response to packets that
> trigger
> LDAP-specific application anomalies. Each section is further divided
> into "groups" that collectively exercise a particular encoding or
> application feature. Finally, each group contains one or more "test
> cases," which represent the network packets that are used to test
> individual exceptional conditions.
>
> By applying the PROTOS LDAPv3 test suite to a variety of popular
> LDAP-enabled products, the OUSPG revealed the following
> vulnerabilities:
>
> VU#276944 - iPlanet Directory Server contains multiple
> vulnerabilities
> in LDAP handling code
>
> The iPlanet Directory Server contains multiple vulnerabilities in
> the code that processes LDAP requests.
>
> In the encoding section of the test suite, this product had an
> indeterminate number of failures in the group that tests invalid
> BER length of length fields.
>
> In the application section of the test suite, this product failed
> four groups and had inconclusive results for an additional five
> groups. The four failed groups indicate the presence of buffer
> overflow vulnerabilities. For the inconclusive groups, the
> product
> exhibited suspicious behavior while testing for format string
> vulnerabilities.
>
> VU#505564 - IBM SecureWay Directory is vulnerable to
> denial-of-service
> attacks via LDAP handling code
>
> The IBM SecureWay Directory server contains one or more
> vulnerabilities in the code that processes LDAP requests. These
> vulnerabilities were discovered independently by IBM using the
> PROTOS LDAPv3 test suite. The CERT/CC is not currently aware of
> the
> nature of these vulnerabilities.
>
> VU#583184 - Lotus Domino R5 Server Family contains multiple
> vulnerabilities in LDAP handling code
>
> The Lotus Domino R5 Server Family (including the Enterprise,
> Application, and Mail servers) contains multiple vulnerabilities
> in
> the code that processes LDAP requests.
>
> In the encoding section of the test suite, this product failed 1
> of
> 77 groups. The failed group tests a server's response to
> miscellaneous packets with semi-valid BER encodings.
>
> In the application section of the test suite, this product failed
> 23 of 77 groups. These results suggest that both buffer overflow
> and format string vulnerabilities are likely to be present in a
> variety of application components.
>
> VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP
> handling code
>
> The Teamware Office suite is packaged with a combination
> X.500/LDAP
> server that provides directory services. Multiple versions of the
> Office product contain vulnerabilities that cause the LDAP server
> to crash in response to traffic sent by the PROTOS LDAPv3 test
> suite.
>
> In the encoding section of the test suite, this product failed 9
> of
> 16 groups involving invalid encodings for several BER object
> types.
>
> In the application section of the test suite, this product failed
> 4
> of 32 groups. The remaining 45 groups were not exercised during
> the
> test runs. The four failed groups indicate the presence of buffer
> overflow vulnerabilities.
>
> VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail
> Server LDAP handling code
>
> While investigating the vulnerabilities reported by OUSPG, it was
> brought to our attention that the Eudora WorldMail Server may
> contain vulnerabilities that can be triggered via the PROTOS test
> suite. The CERT/CC has reported this possibility to Qualcomm and
> an
> investigation is pending.
>
> VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to
> denial-of-service attacks
>
> The Microsoft Exchange 5.5 LDAP Service contains a vulnerability
> that causes the LDAP server to freeze in response to malformed
> LDAP
> requests generated by the PROTOS test suite. This only affects
> the
> LDAP service; all other Exchange services, including mail
> handling,
> continue normally.
>
> Although this product was not included in OUSPG's initial
> testing,
> subsequent informal testing revealed that the LDAP service of the
> Microsoft Exchange 5.5 became unresponsive while processing test
> cases containing exceptional BER encodings for the LDAP filter
> type
> field.
>
> VU#765256 - Network Associates PGP Keyserver contains multiple
> vulnerabilities in LDAP handling code
>
> The Network Associates PGP Keyserver 7.0 contains multiple
> vulnerabilities in the code that processes LDAP requests.
>
> In the encoding section of the test suite, this product failed 12
> of 16 groups.
>
> In the application section of the test suite, this product failed
> 1
> of 77 groups. The failed group focused on out-of-bounds integer
> values for the messageID parameter. Due to a peculiarity of this
> test group, this failure may actually represent an encoding
> failure.
>
> VU#869184 - Oracle 8i Enterprise Edition contains multiple
> vulnerabilities in LDAP handling code
>
> The Oracle 8i Enterprise Edition server contains multiple
> vulnerabilities in the code used to process LDAP requests.
>
> In the encoding section of the test suite, this product failed an
> indeterminate number of test cases in the group that tests a
> server's response to invalid encodings of BER OBJECT-IDENTIFIER
> values.
>
> In the application section of the test suite, this product failed
> 46 of 77 groups. These results suggest that both buffer overflow
> and format string vulnerabilities are likely to be present in a
> variety of application components.
>
> VU#935800 - Multiple versions of OpenLDAP are vulnerable to
> denial-of-service attacks
>
> There are multiple vulnerabilities in the OpenLDAP
> implementations
> of the LDAP protocol. These vulnerabilities exist in the code
> that
> translates network datagrams into application-specific
> information.
>
> In the encoding section of the test suite, this product failed
> the
> group that tests the handling of invalid BER length of length
> fields.
>
> In the application section of the test suite, this product passed
> all 6685 test cases.
>
> Additional Information
>
> For the most up-to-date information regarding these vulnerabilities,
> please visit the CERT/CC Vulnerability Notes Database at:
>
> http://www.kb.cert.org/vuls/
>
> Please note that the test results summarized above should not be
> interpreted as a statement of overall software quality. However, the
> CERT/CC does believe that these results are useful in describing the
> characteristics of these vulnerabilities. For example, an application
> that fails multiple groups indicates that problems exist in different
> areas of the code, rather than in a specific code segment.
>
> II. Impact
>
> VU#276944 - iPlanet Directory Server contains multiple
> vulnerabilities
> in LDAP handling code
>
> One or more of these vulnerabilities allow a remote attacker to
> execute arbitrary code with the privileges of the Directory
> Server.
> The server typically runs with system privileges. At least one of
> these vulnerabilities has been successfully exploited in a
> laboratory environment under Windows NT 4.0, but they may affect
> other platforms as well.
>
> VU#505564 - IBM SecureWay Directory is vulnerable to
> denial-of-service
> attacks via LDAP handling code
>
> These vulnerabilities allow a remote attacker to crash affected
> SecureWay Directory servers, resulting in a denial-of-service
> condition. It is not known at this time whether these
> vulnerabilities will allow a remote attacker to execute arbitrary
> code. These vulnerabilities exist on the Solaris and Windows 2000
> platforms but are not present under Windows NT, AIX, and AIX with
> SSL.
>
> VU#583184 - Lotus Domino R5 Server Family contains multiple
> vulnerabilities in LDAP handling code
>
> One or more of these vulnerabilities allow a remote attacker to
> execute arbitrary code with the privileges of the Domino
> server. The server typically runs with system privileges. At
> least
> one of these vulnerabilities has been successfully exploited in a
> laboratory environment.
>
> VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP
> handling code
>
> These vulnerabilities allow a remote attacker to crash affected
> Teamware LDAP servers, resulting in a denial-of-service
> condition.
> They may also allow a remote attacker to execute arbitrary code
> with the privileges of the Teamware server. The server typically
> runs with system privileges.
>
> VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail
> Server LDAP handling code
>
> The CERT/CC has not yet determined the impact of this
> vulnerability.
>
> VU#763400 - Microsoft Exchange 5.5 LDAP Service is vulnerable to
> denial-of-service attacks
>
> This vulnerability allows a remote attacker to crash the LDAP
> component of vulnerable Exchange 5.5 servers, resulting in a
> denial-of-service condition within the LDAP component.
>
> VU#765256 - Network Associates PGP Keyserver contains multiple
> vulnerabilities in LDAP handling code
>
> One or more of these vulnerabilities allow a remote attacker to
> execute arbitrary code with the privileges of the Keyserver. The
> server typically runs with system privileges. At least one of
> these
> vulnerabilities has been successfully exploited in a laboratory
> environment.
>
> VU#869184 - Oracle 8i Enterprise Edition contains multiple
> vulnerabilities in LDAP handling code
>
> One or more of these vulnerabilities allow a remote attacker to
> execute arbitrary code with the privileges of the Oracle
> server. The server typically runs with system privileges. At
> least
> one of these vulnerabilities has been successfully exploited in a
> laboratory environment.
>
> VU#935800 - Multiple versions of OpenLDAP are vulnerable to
> denial-of-service attacks
>
> These vulnerabilities allow a remote attacker to crash affected
> OpenLDAP servers, resulting in a denial-of-service condition.
>
> III. Solution
>
> Apply a patch from your vendor
>
> Appendix A contains information provided by vendors for this
> advisory.
> Please consult this appendix to determine if you need to contact your
> vendor directly.
>
> Block access to directory services at network perimeter
>
> As a temporary measure, it is possible to limit the scope of these
> vulnerabilities by blocking access to directory services at the
> network perimeter. Please note that this workaround does not protect
> vulnerable products from internal attacks.
>
> ldap 389/tcp # Lightweight Directory Access Protocol
> ldap 389/udp # Lightweight Directory Access Protocol
> ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap)
> ldaps 636/udp # ldap protocol over TLS/SSL (was sldap)
>
> Appendix A. - Vendor Information
>
> This appendix contains information provided by vendors for this
> advisory. As vendors report new information to the CERT/CC, we will
> update this section and note the changes in our revision history. If
> a
> particular vendor is not listed below, we have not received their
> comments.
>
> IBM Corporation
>
> IBM and Tivoli are currently investigating the details of the
> vulnerabilities in the various versions of the SecureWay product
> family.
>
> Fixes are being implemented as these details become known.
>
> Fixes will be posted to the download sites (IBM or Tivoli) for the
> affected platform. See http://www-1.ibm.com/support under "Server
> Downloads" or "Software Downloads" for links to the fix distribution
> sites.
>
> iPlanet E-Commerce Solutions
>
> [CERT/CC Addendum: These vulnerabilities were originally discovered
> in
> Directory Server 5.0 Beta and were later found to exist in versions
> up
> to and including version 4.13. These vulnerabilities have been
> addressed in the released version of Directory Server 5.0.]
>
> Lotus Development Corporation
>
> Lotus reproduced the problem as reported by OUSPG and documented it
> in
> SPR#DWUU4W6NC8.
>
> Lotus considers security issues as top priority, so we acted quickly
> to resolve the problem in a maintenance update to Domino. It was
> addressed in Domino R5.0.7a, which was released on May 18th, 2001.
> This release can be downloaded from Notes.net at
>
> http://www.notes.net/qmrdown.nsf/qmrwelcome.
>
> The fix is documented in the fix list at
>
>
> http://www.notes.net/r5fixlist.nsf/Search!SearchView&Query=DWUU
> 4W6NC8
>
> Microsoft Corporation
>
> Microsoft is developing a hotfix for this issue which will be
> available shortly.
>
> Customers can obtain this hotfix by contacting Product Support
> Services at no charge and asking for Q303448 and Q303450. Information
> on contacting Microsoft Product Support Services can be found at
>
> http://www.microsoft.com/support/
>
> Network Associates, Inc.
>
> Network Associates has resolved these vulnerabilities in Hotfix 2 for
> both Solaris and Windows NT. All Network Associates Enterprise
> Support
> customers have been notified and have been provided access to the
> Hotfix.
>
> This Hotfix can be downloaded at
>
> http://www.pgp.com/downloads/default.asp
>
> The OpenLDAP Project
>
> [CERT/CC Addendum: To address these vulnerabilities, the OpenLDAP
> Project has released OpenLDAP 1.2.12 for use in LDAPv2 environments
> and OpenLDAP 2.0.8 for use in LDAPv3 environments. The CERT/CC
> recommends that users of OpenLDAP contact their software vendor or
> obtain the latest version, available at
> http://www.openLDAP.org/software/download/.]
>
> QUALCOMM Incorporated
>
> The LDAP service in WorldMail may be vulnerable to this exploit, but
> our tests so far have been inconclusive. At this time, we strongly
> urge all WorldMail customers to ensure that the LDAP service is not
> accessible from outside their organization nor by untrusted users.
>
> The Teamware Group
>
> An issue has been discovered with Teamware Office Enterprise
> Directory
> (LDAP server) that shows a abnormal termination or loop when the LDAP
> server encounters a maliciously or incorrectly created LDAP request
> data.
>
> If the maliciously formatted LDAP request data is requested, the LDAP
> server may excessively copy the LDAP request data to the stack area.
>
> This overflow is likely to cause execution of malicious code. In
> other
> case, the LDAP server may go into abnormal termination or infinite
> loop.
>
> [CERT/CC Addendum: Teamware has provided additional documentation of
> these issues in their "Teamware Solution Database," available at
> http://support.teamw.com/Online/s_database1.shtml. Registered users
> can find information on these vulnerabilities by searching for
> document #010703-0000 for Windows NT or document #010703-0001 for
> Solaris.]
>
> Appendix B. - Supplemental Information
>
> The PROTOS Project
>
> The PROTOS project is a research partnership between the University
> of
> Oulu and VTT Electronics, an independent research organization owned
> by the Finnish government. The project studies methods by which
> protocol implementations can be tested for information security
> defects.
>
> Although the vulnerabilities discussed in this advisory relate
> specifically to the LDAP protocol, the methodology used to research,
> develop, and deploy the PROTOS LDAPv3 test suite can be applied to
> any
> communications protocol.
>
> For more information on the PROTOS project and its collection of test
> suites, please visit
>
> http://www.ee.oulu.fi/research/ouspg/protos/
>
> ASN.1 and the BER
>
> Abstract Syntax Notation One (ASN.1) is a flexible notation that
> allows one to define a variety data types. The Basic Encoding Rules
> (BER) describe how to represent or encode the values of each ASN.1
> type as a string of octets. This allow programmers to encode and
> decode data for platform-independent transmission over a network.
>
> References
>
> The following is a list of URLs referenced in this advisory as well
> as
> other useful sources of information:
>
> http://www.cert.org/advisories/CA-2001-18.html
> http://www.ietf.org/rfc/rfc2116.txt
> http://www.ietf.org/rfc/rfc2251.txt
> http://www.ietf.org/rfc/rfc2252.txt
> http://www.ietf.org/rfc/rfc2253.txt
> http://www.ietf.org/rfc/rfc2254.txt
> http://www.ietf.org/rfc/rfc2255.txt
> http://www.ietf.org/rfc/rfc2256.txt
> http://www.ee.oulu.fi/research/ouspg/protos/
>
> http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/
> http://www.kb.cert.org/vuls/
> http://www.kb.cert.org/vuls/id/276944
> http://www.kb.cert.org/vuls/id/505564
> http://www.kb.cert.org/vuls/id/583184
> http://www.kb.cert.org/vuls/id/688960
> http://www.kb.cert.org/vuls/id/717380
> http://www.kb.cert.org/vuls/id/763400
> http://www.kb.cert.org/vuls/id/765256
> http://www.kb.cert.org/vuls/id/869184
> http://www.kb.cert.org/vuls/id/935800
> _________________________________________________________________
>
> The CERT Coordination Center thanks the Oulu University Secure
> Programming Group for reporting these vulnerabilities to us, for
> their
> detailed technical analyses, and for their assistance in preparing
> this advisory. We also thank the many vendors who provided feedback
> regarding their respective vulnerabilities.
> _________________________________________________________________
>
> Authors: Jeffrey P. Lanza and Cory F. Cohen. Feedback on this
> advisory
> is greatly appreciated.
>
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-2001-18.html
>
> ______________________________________________________________________
>
> CERT/CC Contact Information
>
> Email: [EMAIL PROTECTED]
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
> Monday through Friday; they are on call for emergencies during other
> hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from
>
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for more
> information.
>
> Getting security information
>
> CERT publications and other security information are available from
> our web site
>
> http://www.cert.org/
>
> To subscribe to the CERT mailing list for advisories and bulletins,
> send email to [EMAIL PROTECTED] Please include in the body of your
> message
>
> subscribe cert-advisory
>
> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> Patent and Trademark Office.
>
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed
> or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
> _________________________________________________________________
>
> Conditions for use, disclaimers, and sponsorship information
>
> Copyright 2001 Carnegie Mellon University.
>
> Revision History
> Jul 16, 2001: Initial release
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 5.0i for non-commercial use
> Charset: noconv
>
> iQCVAwUBO1O5eQYcfu8gsZJZAQGupwQAikpVVn5wK0o9Kzdl3wjFf2jEhbyr3Ngz
> ycfKTYp8GfaKvKf9HzM/861WBmAkRIkChM+t9mQZ2FuH6nNMzfYRputHb3MK5w18
> 8EOE/stQbV0kDgXxi078ELkvZy4tqrNhd7KXNtsFCPvwo7XTrJJFLTpCS5Nltheq
> PaynurnhNrw=
> =mEjW
> -----END PGP SIGNATURE-----
>
> _____________________________________________________________________
> ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> SEND ALL COMMANDS TO: [EMAIL PROTECTED]
>
