Bugtraq mailing list archives
Shiva Access Manager 5.0.0 Plaintext LDAP root password.
From: blaise () GEEKY NET (Blaise St. Laurent)
Date: Tue, 6 Jun 2000 14:36:53 -0400
In testing Intel's Shiva Access Manager RADIUS/Tacacs+ product, i recently came across an important security hole in the LDAP connectivity on the Solaris platform version of this product. When you configure the S.A.M. to store all of it's information in an LDAP directory, it asks that you give it the root DN's name and password, which it then stores in plaintext in the file $SHIVA_HOME_DIR/insnmgmt/shiva_access_manager/radtac.ini with the rest of the configuration, (including LDAP server and port) which is by default world readable. (owned by root). To get this information constitutes a total breach of your LDAP server. The company has been notified and I'm still awaiting a statement with their response (i informed them 3 weeks ago) I haven't taken a look at the NT version of the software to see if there is a similar vulnerability. That being said, there is a possible workaround. Have SAM use a non-root DN account on the LDAP server that has just enough permissions to modify those fields within the directory that are needed. I can forsee an account that can only change the Shiva extensible objects within the user profile. This limits the ammount of damage that may be done, but doesn't aleviate the problem of having someone with unauthorized write priveledges in your directory. Blaise St-Laurent Security Consultant DISCLAIMER: The contents of this email are my own findings and do not in any way have anything to do with the company that employs me, or the clients we may work with.
Current thread:
- FW-1 IP Fragmentation Vulnerability Lance Spitzner (Jun 05)
- Re: FW-1 IP Fragmentation Vulnerability Chris Brenton (Jun 06)
- Re: FW-1 IP Fragmentation Vulnerability Thomas Willert (Jun 29)
- Re: FW-1 IP Fragmentation Vulnerability Darren Reed (Jun 06)
- Caldera Security Advisory CSSA-2000-015: suid root KDE applications Caldera Systems Security (Jun 06)
- Shiva Access Manager 5.0.0 Plaintext LDAP root password. Blaise St. Laurent (Jun 06)
- MDMA Advisory #6: EServ Logging Heap Overflow Vulnerability Drew (Jun 06)
- Re: FW-1 IP Fragmentation Vulnerability Chris Brenton (Jun 06)