Open Source / Free Software developer
| Problem: | authentication bypass for local accounts |
|---|---|
| CVE: | CVE-2011-0438 |
| Affected: | 0.8.0 only |
| Fixed: | 0.8.1 and later |
| Unaffected: | before 0.8.0 |
A serious security vulnerability was found in development release
0.8.0 of nss-pam-ldapd that allows authentication with an incorrect
password for local user accounts.
The PAM module erroneously returned a success code when the user could
not be found in LDAP.
Exploitability depends on the details of the PAM configuration. In Debian (which shipped 0.8.0 in their experimental repository) the PAM module by default uses the minimum_uid=1000 option which limits exploits to users with a numeric uid >= 1000. In common configurations the user nobody fits these criteria.
On systems that don't use the minimum_uid PAM option it may be possible to log in to any local account, including root.
This problem only affects the 0.8.0 release of nss-pam-ldapd.
Earlier releases are not affected.
This problem has been assigned
CVE-2011-0438.
The problem was triggered by the fact that an LDAP search that returns no entries does not result in an LDAP error. The function that performs the user name lookup incorrectly only used the LDAP return code to determine the lookup result.
References:This bug should not be exploitable if your LDAP server requires authentication before performing queries.