pam_ldap and nss_ldap: Plain text authentication leak — GLSA 200507-13

pam_ldap and nss_ldap fail to restart TLS when following a referral, possibly leading to credentials being sent in plain text.

Affected packages

sys-auth/nss_ldap on all architectures
Affected versions < 239-r1
Unaffected versions >= 239-r1
revision >= 226-r1
sys-auth/pam_ldap on all architectures
Affected versions < 178-r1
Unaffected versions >= 178-r1

Background

pam_ldap is a Pluggable Authentication Module which allows authentication against an LDAP directory. nss_ldap is a Name Service Switch module which allows 'passwd', 'group' and 'host' database information to be pulled from LDAP. TLS is Transport Layer Security, a protocol that allows encryption of network communications.

Description

Rob Holland of the Gentoo Security Audit Team discovered that pam_ldap and nss_ldap fail to use TLS for referred connections if they are referred to a master after connecting to a slave, regardless of the "ssl start_tls" ldap.conf setting.

Impact

An attacker could sniff passwords or other sensitive information as the communication is not encrypted.

Workaround

pam_ldap and nss_ldap can be set to force the use of SSL instead of TLS.

Resolution

All pam_ldap users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-auth/pam_ldap-178-r1"

All nss_ldap users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose sys-auth/nss_ldap

References

Release date
July 14, 2005

Latest revision
July 14, 2005: 01

Severity
normal

Exploitable
remote

Bugzilla entries