----------------------------------------------------------------------

Bist Du interessiert an einem neuen Job in IT-Sicherheit?


Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/

----------------------------------------------------------------------

TITLE:
OpenLDAP / pam_ldap Password Disclosure Security Issue

SECUNIA ADVISORY ID:
SA15906

VERIFY ADVISORY:
http://secunia.com/advisories/15906/

CRITICAL:
Less critical

IMPACT:
Exposure of sensitive information

WHERE:
>From local network

SOFTWARE:
pam_ldap 1.x
http://secunia.com/product/2131/
OpenLDAP 2.1.x
http://secunia.com/product/1831/
OpenLDAP 2.2.x
http://secunia.com/product/5319/

DESCRIPTION:
A security issue has been reported in OpenLDAP and pam_ldap, which
can be exploit by malicious people to gain knowledge of sensitive
information.

The security issue is caused due to the client not connecting to the
master server using TLS when it is referred by the slave server to
the master server for password changes. This allows malicious people
to gain knowlege of users' password by sniffing network traffic.

The security issue has been reported in OpenLDAP version 2.2.26 and
pam_ldap version 1.76. Other versions may also be affected.

SOLUTION:
Configure LDAP servers to only accept TLS connections.

ORIGINAL ADVISORY:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161990

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

----------------------------------------------------------------------