__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN The Sun ONE and JES Directory Server Contain a Buffer Overflow involving LDAP [Sun Alert ID: 57754] April 15, 2005 12:00 GMT Number P-183 ______________________________________________________________________________ PROBLEM: A local or remote unprivileged user may be able to execute arbitrary commands on a vulnerable LDAP server with the privileges of the LDAP process or terminate the LDAP process resulting in a Denial of Service (DoS). PLATFORM: Sun ONE Directory Server 5.1 SP3 and earlier (for Solaris 8, 9, and 10 on Solaris SPARC and Solaris x86 Platforms, Linux, Windows, HP-UX, and AIX) Sun Java System Directory Server 5.2 - without patch 115614-20 (for Solaris 8, 9, and 10 on the SPARC Platform) - without patch 115615-20 (for Solaris 8, 9, and 10 on the x86 Platform) - without patch 118080-05 (for Linux) Or, the PatchZIP version of Sun Java System Directory Server 5.2 (5.2 RTM ZIP or 5.2 Patch2 ZIP): - without patch 117665-02 (for Solaris 8, 9, and 10 on the SPARC Platform) - without patch 117666-02 (for Solaris 8, 9 and 10 on the x86 Platform) - without patch 117668-02 (for Linux) - without patch 117667-02 (for Windows) - without patch 117669-02 (for HP-UX) - without patch 117670-02 (for AIX) DAMAGE: A local or remote unprivileged user may be able to execute arbitrary commands on a vulnerable LDAP server with the privileges of the LDAP process or terminate the LDAP process resulting in a Denial of Service (DoS). SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A local or remote unprivileged user may be ASSESSMENT: able to execute arbitrary commands on a vulnerable LDAP server with the privileges of the LDAP process or terminate the LDAP process resulting in a Denial of Service (DoS). ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-183.shtml ORIGINAL BULLETIN: Sun Alert ID: 57754 http://www.sunsolve.sun.com/search/document.do?assetkey= 1-26-57754-1&searchclause=%22category:security%22%20%22 availability,%20security%22 ______________________________________________________________________________ [***** Start Sun Alert ID: 57754 *****] Sun(sm) Alert Notification Sun Alert ID: 57754 Synopsis: The Sun ONE and Sun Java System Directory Servers Contain a Buffer Overflow in the Access Control Implementation for LDAP Requests Category: Security Product: Sun ONE Directory Server, Sun Java System Directory Server BugIDs: 6182428 Avoidance: Patch, Upgrade State: Resolved Date Released: 13-Apr-2005 Date Closed: 13-Apr-2005 Date Modified: 1. Impact A local or remote unprivileged user may be able to execute arbitrary commands on a vulnerable LDAP server with the privileges of the LDAP process or terminate the LDAP process resulting in a Denial of Service (DoS). This issue is described in CERT Vulnerability Note VU#258905 at http://www.kb.cert.org/vuls/id/258905. 2. Contributing Factors This issue can occur in the following releases: Sun ONE Directory Server 5.1 * SP3 and earlier (for Solaris 8, 9, and 10 on Solaris SPARC and Solaris x86 Platforms, Linux, Windows, HP-UX, and AIX) Sun Java System Directory Server 5.2 * without patch 115614-20 (for Solaris 8, 9, and 10 on the SPARC Platform) * without patch 115615-20 (for Solaris 8, 9, and 10 on the x86 Platform) * without patch 118080-05 (for Linux) Or, the PatchZIP version of Sun Java System Directory Server 5.2 (5.2 RTM ZIP or 5.2 Patch2 ZIP): * without patch 117665-02 (for Solaris 8, 9, and 10 on the SPARC Platform) * without patch 117666-02 (for Solaris 8, 9 and 10 on the x86 Platform) * without patch 117668-02 (for Linux) * without patch 117667-02 (for Windows) * without patch 117669-02 (for HP-UX) * without patch 117670-02 (for AIX) Notes: "RTM" is in reference to the first release of this product. This issue does not occur in Sun Java System Directory Server 2005Q1. 3. Symptoms If the LDAP process is not running then users whose accounts are managed by the LDAP server may not be able to login and related LDAP commands such as ldapsearch(1) may no longer work. The ldap(1) utilities will output error messages similar to the following to the console: can't connect to the LDAP server - connection refused Solution Summary Top 4. Relief/Workaround There is no workaround. Please see the "Resolution" section below. 5. Resolution This issue is addressed in the following releases: Sun ONE Directory Server 5.1 * SP4 and later (for Solaris 8, 9, and 10 on Solaris SPARC and Solaris x86 Platforms, Linux, Windows, HP-UX, and AIX) Sun ONE Directory Server 5.1 SP4 can be downloaded from http://www.sun.com /download/products.xml?id=42155636 Sun Java System Directory Server 5.2 with the patches listed on the following platforms: * with patch 115614-20 or later (for Solaris 8, 9, and 10 on the SPARC Platform) * with patch 115615-20 or later (for Solaris 8, 9, and 10 on the x86 Platform) * with patch 118080-05 or later (for Linux) Or, if upgrading from the PatchZIP version of Sun Java System Directory Server 5.2 (to upgrade from 5.2 RTM ZIP or 5.2 Patch2 ZIP): * with patch 117665-02 or later (for Solaris 8, 9, and 10 on the SPARC Platform) * with patch 117666-02 or later (for Solaris 8, 9, and 10 on the x86 Platform) * with patch 117668-02 or later (for Linux) * with patch 117667-02 or later (for Windows) * with patch 117669-02 or later (for HP-UX) * with patch 117670-02 or later (for AIX) This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. [***** End Sun Alert ID: 57754 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Sun Microsystems for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-171: SGI Advanced Linux Environment 3 Security Update #33 P-172: SGI IRIX gr_osview File Overwrite Vulnerabilities P-173: Cumulative Security Update for Internet Explorer P-174: Vulnerability in Exchange Server P-175: Vulnerability in MSN Messenger (896597) P-176: Vulnerabilities in Microsoft Word (890169) P-177: Vulnerabilities in TCP-IP (893066) P-178: Vulnerability in Message Queuing (892944) P-179: Vulnerability in Windows Shell (893086) P-180: Vulnerabilities in Windows Kernel (890859) P-181: Cisco Products Vulnerable to DoS via Crafted ICMP Messages P-182: Oracle Critical Patch Update - April 2005