SB2019073001 - Improper authorization in OpenLDAP
Published: July 30, 2019
Security Bulletin ID
SB2019073001
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Adjecent network
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper Authorization (CVE-ID: CVE-2019-13057)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to incorrect processing of rootDN delegation in the OpenLDAP multi-tenant deployments. A database administrator could use this issue to request authorization as an identity from another database, contrary to expectations.
2) Improper Authorization (CVE-ID: CVE-2019-13565)
The vulnerability allows a remote attacker to escalate privileges.
The vulnerability exists due to incorrect processing of SASL authentication and session encryption in OpenLDAP. After the first SASL bind is completed, the sasl_ssf value is retained for all new non-SASL connections, allowing to bypass ACLs and obtain access by performing simple binds.
Remediation
Install update from vendor's website.