2011-03-09: security advisory: authentication bypass for local accounts

A serious security vulnerability was found in development release 0.8.0 of nss-pam-ldapd that allows authentication with an incorrect password for local user accounts.

The PAM module will return a success code when the user cannot be found in LDAP.

Exploitability depends on the details of the PAM configuration. In Debian (which currently ships 0.8.0 in their experimental repository) the PAM module by default uses the minimum_uid=1000 option which limits exploits to users with a numeric uid >= 1000. In common configurations the user nobody fits these criteria.

On systems that don't use the minimum_uid PAM option it may be possible to log in to any local account, including root.

This problem only affects the 0.8.0 release of nss-pam-ldapd. Earlier releases are not affected.
This problem has been assigned CVE-2011-0438.

The problem is triggered by the fact that an LDAP search that returns no entries does not result in an LDAP error. The function that performs the user name lookup incorrectly only used the LDAP return code to determine the lookup result.

• the original advisory
• the commit that introduced the bug
  
• a patch for 0.8.0 to fix this with minimal side-effects

This bug should not be exploitable if your LDAP server requires authentication before performing queries.

For questions please contact the nss-pam-ldapd-users mailing list.

These pages contain no frames, blinking stuff, animated gifs or commercials, do not require javascript and are not optimised for any specific screen resolution or browser and should be valid XHTML 1.1 and contain valid CSS.