CERT^® Advisory CA-2001-18 Multiple Vulnerabilities in Several Implementations of the Lightweight Directory Access Protocol (LDAP)

A complete revision history can be found at the end of this file.

Systems Affected

Several implementations of the Lightweight Directory Access Protocol (LDAP) protocol contain vulnerabilities that may allow denial-of-service attacks, unauthorized privileged access, or both. If your site uses any of the products listed in this advisory, the CERT/CC encourages you to follow the advice provided in the Solution section below.

I. Description

The LDAP protocol provides access to directories that support the X.500 directory semantics without requiring the additional resources of X.500. A directory is a collection of information such as names, addresses, access control lists, and cryptographic certificates. Because LDAP servers are widely used in maintaining corporate contact information and providing authentication services, any threats to their integrity or stability can jeopardize the security of an organization.

To test the security of protocols like LDAP, the PROTOS project presents a server with a wide variety of sample packets containing unexpected values or illegally formatted data. This approach may reveal vulnerabilities that would not manifest themselves under normal conditions. As a member of the PROTOS project consortium, the Oulu University Secure Programming Group (OUSPG) co-developed and subsequently used the PROTOS LDAPv3 test suite to study several implementations of the LDAP protocol.

The PROTOS LDAPv3 test suite is divided into two main sections: the "Encoding" section, which tests an LDAP server's response to packets that violate the Basic Encoding Rules (BER), and the "Application" section, which tests an LDAP server's response to packets that trigger LDAP-specific application anomalies. Each section is further divided into "groups" that collectively exercise a particular encoding or application feature. Finally, each group contains one or more "test cases," which represent the network packets that are used to test individual exceptional conditions.

By applying the PROTOS LDAPv3 test suite to a variety of popular LDAP-enabled products, the OUSPG revealed the following vulnerabilities:

VU#276944 - iPlanet Directory Server contains multiple vulnerabilities in LDAP handling code

The iPlanet Directory Server contains multiple vulnerabilities in the code that processes LDAP requests.

In the encoding section of the test suite, this product had an indeterminate number of failures in the group that tests invalid BER length of length fields.

In the application section of the test suite, this product failed four groups and had inconclusive results for an additional five groups. The four failed groups indicate the presence of buffer overflow vulnerabilities. For the inconclusive groups, the product exhibited suspicious behavior while testing for format string vulnerabilities.

VU#505564 - IBM SecureWay Directory is vulnerable to denial-of-service attacks via LDAP handling code

The IBM SecureWay Directory server contains one or more buffer overflow vulnerabilities in the code that processes LDAP requests. These vulnerabilities were discovered independently by IBM using the PROTOS LDAPv3 test suite.

VU#583184 - Lotus Domino R5 Server Family contains multiple vulnerabilities in LDAP handling code

The Lotus Domino R5 Server Family (including the Enterprise, Application, and Mail servers) contains multiple vulnerabilities in the code that processes LDAP requests.

In the encoding section of the test suite, this product failed 1 of 77 groups. The failed group tests a server's response to miscellaneous packets with semi-valid BER encodings.

In the application section of the test suite, this product failed 23 of 77 groups. These results suggest that both buffer overflow and format string vulnerabilities are likely to be present in a variety of application components.

VU#657547 - Critical Path directory products contain multiple vulnerabilities in LDAP handling code

The InJoin Directory Server and LiveContent Directory both contain multiple vulnerabilities in the code that processes LDAP requests. These vulnerabilities were discovered independently by Critical Path using the PROTOS LDAPv3 test suite.

The tests conducted by Critical Path demonstrated failures in both the encoding and application sections of the test suite.

VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP handling code

The Teamware Office suite is packaged with a combination X.500/LDAP server that provides directory services. Multiple versions of the Office product contain vulnerabilities that cause the LDAP server to crash in response to traffic sent by the PROTOS LDAPv3 test suite.

In the encoding section of the test suite, this product failed 9 of 16 groups involving invalid encodings for several BER object types.

In the application section of the test suite, this product failed 4 of 32 groups. The remaining 45 groups were not exercised during the test runs. The four failed groups indicate the presence of buffer overflow vulnerabilities.

VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail Server LDAP handling code

While investigating the vulnerabilities reported by OUSPG, it was brought to our attention that the Eudora WorldMail Server may contain vulnerabilities that can be triggered via the PROTOS test suite. The CERT/CC has reported this possibility to Qualcomm and an investigation is pending.

VU#763400 - Microsoft Exchange LDAP Service is vulnerable to denial-of-service attacks

The LDAP Service components of Microsoft Exchange 5.5 and Exchange 2000 contain vulnerabilities that cause affected LDAP servers to freeze in response to malformed LDAP requests generated by the PROTOS test suite. This only affects the LDAP service; all other Exchange services, including mail handling, continue normally.

Although these products were not included in OUSPG's initial testing, subsequent informal testing revealed that the LDAP service of Microsoft Exchange became unresponsive while processing test cases containing exceptional BER encodings for the LDAP filter type field.

VU#765256 - Network Associates PGP Keyserver contains multiple vulnerabilities in LDAP handling code

The Network Associates PGP Keyserver 7.0 contains multiple vulnerabilities in the code that processes LDAP requests.

In the encoding section of the test suite, this product failed 12 of 16 groups.

In the application section of the test suite, this product failed 1 of 77 groups. The failed group focused on out-of-bounds integer values for the messageID parameter. Due to a peculiarity of this test group, this failure may actually represent an encoding failure.

VU#869184 - Oracle Internet Directory contains multiple vulnerabilities in LDAP handling code

The Oracle Internet Directory server contains multiple vulnerabilities in the code used to process LDAP requests.

In the encoding section of the test suite, this product failed an indeterminate number of test cases in the group that tests a server's response to invalid encodings of BER OBJECT-IDENTIFIER values.

In the application section of the test suite, this product failed 46 of 77 groups. These results suggest that both buffer overflow and format string vulnerabilities are likely to be present in a variety of application components.

VU#935800 - Multiple versions of OpenLDAP are vulnerable to denial-of-service attacks

There are multiple vulnerabilities in the OpenLDAP implementations of the LDAP protocol. These vulnerabilities exist in the code that translates network datagrams into application-specific information.

In the encoding section of the test suite, this product failed the group that tests the handling of invalid BER length of length fields.

In the application section of the test suite, this product passed all 6685 test cases.

Additional Information

http://www.kb.cert.org/vuls/

Please note that the test results summarized above should not be interpreted as a statement of overall software quality. However, the CERT/CC does believe that these results are useful in describing the characteristics of these vulnerabilities. For example, an application that fails multiple groups indicates that problems exist in different areas of the code, rather than in a specific code segment.

Other Tested Configurations

Please note that each of these products was tested under only one of several combinations of operating system and processor architecture.

II. Impact

VU#276944 - iPlanet Directory Server contains multiple vulnerabilities in LDAP handling code

One or more of these vulnerabilities allow a remote attacker to execute arbitrary code with the privileges of the Directory Server. The server typically runs with system privileges. At least one of these vulnerabilities has been successfully exploited in a laboratory environment under Windows NT 4.0, but they may affect other platforms as well.

VU#505564 - IBM SecureWay Directory is vulnerable to denial-of-service attacks via LDAP handling code

These vulnerabilities allow a remote attacker to crash affected SecureWay Directory servers, resulting in a denial-of-service condition. It is not known at this time whether these vulnerabilities will allow a remote attacker to execute arbitrary code. These vulnerabilities exist on the Solaris and Windows 2000 platforms but are not present under Windows NT, AIX, and AIX with SSL.

VU#583184 - Lotus Domino R5 Server Family contains multiple vulnerabilities in LDAP handling code

One or more of these vulnerabilities allow a remote attacker to execute arbitrary code with the privileges of the Domino server. The server typically runs with system privileges. At least one of these vulnerabilities has been successfully exploited in a laboratory environment.

VU#657547 - Critical Path directory products contain multiple vulnerabilities in LDAP handling code

These vulnerabilities allow a remote attacker to crash affected Critical Path directory servers, resulting in a denial-of-service condition. They may also allow a remote attacker to execute arbitrary code with the privileges of the directory server. The server typically runs with system privileges.

VU#688960 - Teamware Office contains multiple vulnerabilities in LDAP handling code

These vulnerabilities allow a remote attacker to crash affected Teamware LDAP servers, resulting in a denial-of-service condition. They may also allow a remote attacker to execute arbitrary code with the privileges of the Teamware server. The server typically runs with system privileges.

VU#717380 - Potential vulnerabilities in Qualcomm Eudora WorldMail Server LDAP handling code

The CERT/CC has not yet determined the impact of this vulnerability.

VU#763400 - Microsoft Exchange LDAP Service is vulnerable to denial-of-service attacks

These vulnerabilities allow a remote attacker to crash the LDAP component of vulnerable Exchange 5.5 and Exchange 2000 servers, resulting in a denial-of-service condition within the LDAP component.

VU#765256 - Network Associates PGP Keyserver contains multiple vulnerabilities in LDAP handling code

One or more of these vulnerabilities allow a remote attacker to execute arbitrary code with the privileges of the Keyserver. The server typically runs with system privileges. At least one of these vulnerabilities has been successfully exploited in a laboratory environment.

VU#869184 - Oracle Internet Directory contains multiple vulnerabilities in LDAP handling code

One or more of these vulnerabilities allow a remote attacker to execute arbitrary code with the privileges of the Oracle server. The server typically runs with system privileges. At least one of these vulnerabilities has been successfully exploited in a laboratory environment.

VU#935800 - Multiple versions of OpenLDAP are vulnerable to denial-of-service attacks

These vulnerabilities allow a remote attacker to crash affected OpenLDAP servers, resulting in a denial-of-service condition.

To address these vulnerabilities, the OpenLDAP Project has released OpenLDAP 1.2.12 for use in LDAPv2 environments and OpenLDAP 2.0.8 for use in LDAPv3 environments. The CERT/CC recommends that users of OpenLDAP contact their software vendor or obtain the latest version, available at http://www.openLDAP.org/software/download/.

III. Solution

Appendix A contains information provided by vendors for this advisory. Please consult this appendix to determine if you need to contact your vendor directly.

Block access to directory services at network perimeter

As a temporary measure, it is possible to limit the scope of these vulnerabilities by blocking access to directory services at the network perimeter. Please note that this workaround does not protect vulnerable products from internal attacks.

ldap    389/tcp     # Lightweight Directory Access Protocol 
ldap    389/udp     # Lightweight Directory Access Protocol 
ldaps   636/tcp     # ldap protocol over TLS/SSL (was sldap) 
ldaps   636/udp     # ldap protocol over TLS/SSL (was sldap)

Please visit Critical Path InJoin Directory Server support pages at (http://support.cp.net/CP_Buffer_Overflow_Vulnerability.doc) for details on workarounds and patch availability information for the potential vulnerabilities discovered in the InJoin Directory Server.

IBM Corporation

Fixes will be posted to the download sites (IBM or Tivoli) for the affected platform. See http://www-1.ibm.com/support under "Server Downloads" or "Software Downloads" for links to the fix distribution sites.

Platform         Failed Test Cases(index#/category)       Failure Symptoms

Solaris          #136/E0 encoding exception-invalid       Server crash
                 encodings for L field of BER
                 encoding.

Solaris          #6119/O7 application exception           Server crash
                 -large number of continuous
                 attributes offered to attribute
                 field.

Windows 2000     #452/E0 encoding exception               Server crash
                 -invalid encodings for L
                 field of BER encoding.

Windows 2000     #5554/O4 application exception-          Server crash
                 large number of continuous
                 initial substring offered to
                 substring filter.

iPlanet customers with questions on this advisory are requested to contact iPlanet Technical Support who will provide full support and up-to-date information.

Lotus Development Corporation

Lotus reproduced the problem as reported by OUSPG and documented it in SPR#DWUU4W6NC8.

Lotus responded quickly to resolve the problem in a maintenance update to Domino. It was addressed in Domino R5.0.7a, which was released on May 18th, 2001. This release can be downloaded from Notes.net at

http://www.notes.net/qmrdown.nsf/qmrwelcome.

The fix is documented in the fix list at

http://www.notes.net/r5fixlist.nsf/Search!SearchView&Query=DWUU4W6NC8

http://www.microsoft.com/support/

http://www.pgp.com/downloads/default.asp

Oracle has prepared a Solaris-based patch set for Oracle Internet Directory versions 2.1.1.x and 3.0.1. These patches were made available on July 17, 2001 to Oracle Internet Directory customers via the Oracle MetaLink (http://metalink.oracle.com/) system.

Please visit Oracle Technology Network at http://otn.oracle.com/deploy/security/alerts.htm for details on workarounds and patch availability information for the potential buffer overflow vulnerabilities discovered in Oracle Internet Directory.

QUALCOMM Incorporated

The LDAP service in WorldMail may be vulnerable to this exploit, but our tests so far have been inconclusive. At this time, we strongly urge all WorldMail customers to ensure that the LDAP service is not accessible from outside their organization nor by untrusted users.

SGI

SGI has released the following Security Advisory regarding VU#276944

ftp://patches.sgi.com/support/free/security/advisories/20011102-01-I

This overflow is likely to cause execution of malicious code. In other case, the LDAP server may go into abnormal termination or infinite loop.

Appendix B. - Supplemental Information

The PROTOS project is a research partnership between the University of Oulu and VTT Electronics, an independent research organization owned by the Finnish government. The project studies methods by which protocol implementations can be tested for information security defects.

Although the vulnerabilities discussed in this advisory relate specifically to the LDAP protocol, the methodology used to research, develop, and deploy the PROTOS LDAPv3 test suite can be applied to any communications protocol.

For more information on the PROTOS project and its collection of test suites, please visit

http://www.ee.oulu.fi/research/ouspg/protos/

Abstract Syntax Notation One (ASN.1) is a flexible notation that allows one to define a variety data types. The Basic Encoding Rules (BER) describe how to represent or encode the values of each ASN.1 type as a string of octets. This allow programmers to encode and decode data for platform-independent transmission over a network.

References

http://www.cert.org/advisories/CA-2001-18.html

http://www.ietf.org/rfc/rfc2116.txt

http://www.ietf.org/rfc/rfc2251.txt

http://www.ietf.org/rfc/rfc2252.txt

http://www.ietf.org/rfc/rfc2253.txt

http://www.ietf.org/rfc/rfc2254.txt

http://www.ietf.org/rfc/rfc2255.txt

http://www.ietf.org/rfc/rfc2256.txt

http://www.ee.oulu.fi/research/ouspg/protos/

http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/

http://www.kb.cert.org/vuls/

http://www.kb.cert.org/vuls/id/276944

http://www.kb.cert.org/vuls/id/505564

http://www.kb.cert.org/vuls/id/583184

http://www.kb.cert.org/vuls/id/657547

http://www.kb.cert.org/vuls/id/688960

http://www.kb.cert.org/vuls/id/717380

http://www.kb.cert.org/vuls/id/763400

http://www.kb.cert.org/vuls/id/765256

http://www.kb.cert.org/vuls/id/869184

http://www.kb.cert.org/vuls/id/935800

The CERT Coordination Center thanks the Oulu University Secure Programming Group for reporting these vulnerabilities to us, for their detailed technical analyses, and for their assistance in preparing this advisory. We also thank the many vendors who provided feedback regarding their respective vulnerabilities.

Authors: Jeffrey P. Lanza and Cory F. Cohen. Feedback on this advisory is greatly appreciated.

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Copyright 2001 Carnegie Mellon University.

Revision History

Jul 16, 2001: Initial release
Jul 17, 2001: Added Oracle vendor statement
Jul 17, 2001: Fixed link to IBM site
Jul 17, 2001: Updated Lotus vendor statement
Jul 19, 2001: Changed "Oracle 8i Enterprise Edition" to "Oracle Internet Directory"
Jul 19, 2001: Updated Microsoft sections to list Exchange 2000 as vulnerable
Jul 19, 2001: Added version numbers and impact information for IBM
Jul 24, 2001: Added revised Oracle vendor statement
Jul 26, 2001: Added Novell vendor section; Updated Microsoft statement
Jul 27, 2001: Added vendor statement from iPlanet
Aug 13, 2001: Moved OpenLDAP patch information to Impact section
Aug 13, 2001: Moved Novell and Microsoft unaffected product statements to Description section
Aug 13, 2001: Miscellaneous vendor statement fixes
Aug 13, 2001: Added information regarding Critical Path (VU#657547)
Dec 10, 2001: Added vendor information for SGI