Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-1024

Overview

Vulnerability Score 4.6 4.6
CVE Id CVE-2011-1024
Last Modified 06 Sep 2011 11:15:15
Published 19 Mar 2011 10:00:03
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity HIGH
Authentication SINGLE_INSTANCE

CVE-2011-1024

Summary

chain.c in back-ldap in OpenLDAP 2.4.x before 2.4.24, when a master-slave configuration with a chain overlay and ppolicy_forward_updates (aka authentication-failure forwarding) is used, allows remote authenticated users to bypass external-program authentication by sending an invalid password to a slave server.

Vulnerable Systems

Application

  • Openldap 2.4.10

  • Openldap 2.4.11

  • Openldap 2.4.12

  • Openldap 2.4.13

  • Openldap 2.4.14

  • Openldap 2.4.15

  • Openldap 2.4.16

  • Openldap 2.4.17

  • Openldap 2.4.18

  • Openldap 2.4.19

  • Openldap 2.4.20

  • Openldap 2.4.21

  • Openldap 2.4.22

  • Openldap 2.4.23

  • Openldap 2.4.6

  • Openldap 2.4.7

  • Openldap 2.4.8

  • Openldap 2.4.9


References

MLIST - [openldap-announce] 20110212 OpenLDAP 2.4.24 available

CONFIRM - http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-ldap/chain.c.diff?r1=1.76&r2=1.77&hideattic=1&sortbydate=0

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=680466

CONFIRM - https://bugzilla.novell.com/show_bug.cgi?id=674985

VUPEN - ADV-2011-0665

UBUNTU - USN-1100-1

REDHAT - RHSA-2011:0347

REDHAT - RHSA-2011:0346

MLIST - [openldap-technical] 20100429 ppolicy master/slave issue

CONFIRM - http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6607

MANDRIVA - MDVSA-2011:056

MANDRIVA - MDVSA-2011:055

SECTRACK - 1025188

SECUNIA - 43718

SECUNIA - 43708

SECUNIA - 43331

MLIST - [oss-security] 20110225 Re: CVE Request -- OpenLDAP -- two issues

MLIST - [oss-security] 20110224 CVE Request -- OpenLDAP -- two issues


Last Updated: 27 May 2016 10:56:08