Executive Summary
| Summary | |
|---|---|
| Title | PAM/NSS LDAP vulnerabilitiy |
| Informations | |||
|---|---|---|---|
| Name | USN-152-1 | First vendor Publication | 2005-07-21 |
| Vendor | Ubuntu | Last vendor Modification | 2005-07-21 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 5 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: libnss-ldap libpam-ldap slapd On Ubuntu 4.10, the problem can be corrected by upgrading the affected packages to version 2.1.30-2ubuntu4.1 (slapd), 164-2ubuntu0.1 (libpam-ldap), and 220-1ubuntu0.1 (libnss-ldap). On Ubuntu 5.04, the problem can be corrected by upgrading the affected packages to version 2.1.30-3ubuntu3.1 (slapd), 169-1ubuntu0.1 (libpam-ldap), and 220-1ubuntu0.1 (libnss-ldap). In general, a standard system upgrade is sufficient to effect the necessary changes. (Please note that libnss-ldap and libpam-ldap are not officially supported by Ubuntu, they are in the "universe" suite of the archive.) Details follow: Andrea Barisani discovered a flaw in the SSL handling of pam-ldap and libnss-ldap. When a client connected to a slave LDAP server using SSL, the slave server did not use SSL as well when contacting the LDAP master server. This caused passwords and other confident information to be transmitted unencrypted between the slave and the master. |
Original Source
| Url : http://www.ubuntu.com/usn/USN-152-1 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-319 | Cleartext Transmission of Sensitive Information |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:9445 | |||
| Oval ID: | oval:org.mitre.oval:def:9445 | ||
| Title: | pam_ldap and nss_ldap, when used with OpenLDAP and connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which may cause a password to be sent in cleartext and allows remote attackers to sniff the password. | ||
| Description: | pam_ldap and nss_ldap, when used with OpenLDAP and connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which may cause a password to be sent in cleartext and allows remote attackers to sniff the password. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2005-2069 | Version: | 5 |
| Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 | |
| Application | 1 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-10-10 | Name : SLES9: Security update for pam_ldap File : nvt/sles9p5015275.nasl |
| 2009-10-10 | Name : SLES9: Security update for openldap2-client,openldap2-devel File : nvt/sles9p5016606.nasl |
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200507-13 (pam_ldap nss_ldap) File : nvt/glsa_200507_13.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 17692 | OpenLDAP / pam_ldap TLS Connection Cleartext Password Disclosure |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2006-07-05 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2005-767.nasl - Type : ACT_GATHER_INFO |
| 2006-07-03 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2005-751.nasl - Type : ACT_GATHER_INFO |
| 2006-01-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-152-1.nasl - Type : ACT_GATHER_INFO |
| 2005-10-19 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2005-751.nasl - Type : ACT_GATHER_INFO |
| 2005-10-19 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2005-767.nasl - Type : ACT_GATHER_INFO |
| 2005-08-30 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-785.nasl - Type : ACT_GATHER_INFO |
| 2005-07-19 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-121.nasl - Type : ACT_GATHER_INFO |
| 2005-07-14 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200507-13.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 12:00:30 |
|
