Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 76441971C for ; Mon, 8 Dec 2014 20:12:01 +0000 (UTC) Received: (qmail 62726 invoked by uid 500); 8 Dec 2014 20:12:00 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 62678 invoked by uid 500); 8 Dec 2014 20:12:00 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 62659 invoked by uid 99); 8 Dec 2014 20:12:00 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Dec 2014 20:12:00 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_HELO_PASS X-Spam-Check-By: apache.org Received-SPF: unknown mxmx:stratosec-co.mail.eo.outlook.comip4:184.172.14.119~allmx (nike.apache.org: encountered unrecognized mechanism during SPF processing of domain of jlk@stratosec.co) Received: from [157.56.111.72] (HELO na01-bn1-obe.outbound.protection.outlook.com) (157.56.111.72) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Dec 2014 20:11:33 +0000 Received: from DM2PR05MB959.namprd05.prod.outlook.com (10.141.159.148) by DM2PR05MB303.namprd05.prod.outlook.com (10.141.103.15) with Microsoft SMTP Server (TLS) id 15.1.26.15; Mon, 8 Dec 2014 20:11:09 +0000 Received: from DM2PR05MB959.namprd05.prod.outlook.com (10.141.159.148) by DM2PR05MB959.namprd05.prod.outlook.com (10.141.159.148) with Microsoft SMTP Server (TLS) id 15.1.31.17; Mon, 8 Dec 2014 20:11:06 +0000 Received: from DM2PR05MB959.namprd05.prod.outlook.com ([10.141.159.148]) by DM2PR05MB959.namprd05.prod.outlook.com ([10.141.159.148]) with mapi id 15.01.0031.000; Mon, 8 Dec 2014 20:11:06 +0000 From: John Kinsella To: "" Subject: [CVE-2014-7807] Apache CloudStack unauthenticated LDAP binds Thread-Topic: [CVE-2014-7807] Apache CloudStack unauthenticated LDAP binds Thread-Index: AQHQEyMZkfm4rTWX0kq7yrWPourJFQ== Date: Mon, 8 Dec 2014 20:11:05 +0000 Message-ID: <97C015F9-93B6-4E1C-9757-264C72B9676B@stratosec.co> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.77.237.118] x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:DM2PR05MB959;UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:DM2PR05MB959; x-forefront-prvs: 041963B986 x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(6009001)(199003)(50944004)(189002)(15584002)(99286002)(97736003)(19580395003)(31966008)(15975445007)(102836002)(68736005)(77096005)(74482002)(36756003)(110136001)(46102003)(16601075003)(107886001)(551544002)(83716003)(4396001)(82746002)(77156002)(62966003)(99396003)(40100003)(66066001)(450100001)(64706001)(106356001)(106116001)(229853001)(92566001)(50986999)(575784001)(101416001)(122556002)(2656002)(33656002)(87936001)(107046002)(105586002)(20776003)(230783001)(86362001)(54356999)(120916001)(21056001)(42262002)(491001)(104396002);DIR:OUT;SFP:1101;SCL:1;SRVR:DM2PR05MB959;H:DM2PR05MB959.namprd05.prod.outlook.com;FPR:;SPF:None;MLV:sfv;PTR:InfoNoRecords;A:1;MX:1;LANG:en; Content-Type: text/plain; charset="us-ascii" Content-ID: <92B67AF742C79A45AD54D5312DF03311@namprd05.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:DM2PR05MB303; X-OriginatorOrg: stratosec.co X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P Vendors: The Apache Software Foundation Citrix, Inc. Versions Afffected: Apache CloudStack 4.3, 4.4 Description: Apache CloudStack may be configured to authenticate LDAP users. When so configured, it performs a simple LDAP bind with the name and password provided by a user. Simple LDAP binds are defined with three mechanisms (RFC 4513): 1) username and password; 2) unauthenticated if only a username is specified; and 3) anonymous if neither username or password is specified. Currently, Apache CloudStack does not check if the password was provided which could allow an attacker to bind as an unauthenticated user. Mitigation: Users of Apache CloudStack 4.4 and derivatives should update to the latest version (4.4.2) An updated release for Apache CloudStack 4.3.2 is in testing. Until that is released, we recommend following the mitigation below: By default, many LDAP servers are not configured to allow unauthenticated binds. If the LDAP server in use allow this behaviour, a potential interim solution would be to consider disabling unauthenticated binds. Credit: This issue was identified by the Citrix Security Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJUhgUCAAoJEOom9N0pCN7SOQMQAKyBuhg25u3FcVOU5XMdGGpT 2kSVFoLFR74ObI8bdr3HP+2LdLf/Go9QBBrWlZ034FUj6OV0Ct5o8TNB6AHbv0qF Ar4N05JoGtPaDCe9sWV/+ykOJH8snQjnYwVFrLZlLw8Y/JUQ+I1yJBksw8a2/hT2 vmYgYiAQyrEMMk4bhBBlEyaJFMhuMtKtgUqLDW8wmlhkt2acZMt/0BKxDwAO8o7m 6ypepPCmkPHUpD50tfcCI+K4ib/C5EOn40n4orM97/JHZLsCyhz5nk36eQMOQQz2 fJlaA04fQSV4Cv7c+S0LPh5e4e6TPSrOW3O4/V2dkjK/GgP8kUoo7ivyjIw6d2oJ Z5vqqgxrmgwDjH58YfVu3tyVuDlOFTZfCLkhdoXMxHfMLYYKeXkffRli9XabxrE+ AkVoXaQAumf8IzTLVSQztV18jC79kvEeCV0pFYOjb/X/gShemruqmCWVDulj1ax6 tzoP+Bm2mQRyrRClY37R+q3cQ2z6eNAC/vAoYzhYBN1o63MYneLYDADhyE6YIGz0 LTbDDGFn0WVdFDrqworHdYDIMW7HQFMNtsQuueeP7LBldsgyTmjmBMp+S3Tq27UT RaVgp3n9ZUPdzj/i1vvJBrATKUNmv1GDoy+C1GPNx423nEOe7dFkMJARlcbf5Pml 03DX+ot4Xan0P5HXPT+r =3DQqOf -----END PGP SIGNATURE-----