Security vulnerabilities found in Nine popular LDAP products

A Finnish university project to test the security of communications protocols has revealed serious vulnerabilities in several implementations of the Lightweight Directory Access Protocol (LDAP) affecting products such as Lotus Development Corp.'s Domino and Microsoft Corp.'s Exchange servers.

The vulnerabilities, which could result in denial-of-service attacks and unauthorized privileged access, were discovered in LDAP-enabled products from nine vendors, according to an advisory posted this morning by the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.

In addition to Domino and Exchange server, other LDAP-enabled products found with security problems include Sun Microsystems Inc.'s iPlanet Directory Server, IBM's SecureWay Directory, Qualcomm Corp.'s Eudora Worldmail and Network Associates Inc.'s PGP Keyserver, according to CERT.

By JAIKUMAR VIJAYAN reporting for ComputerWorld (July 18, 2001)

Information on patch availability is posted on CERT's Web site, along with advice for users on how to limit the vulnerabilities by blocking access to directory services at the network perimeter.

LDAP is a protocol used to access directories containing critical information such as user names and authentication information, addresses, access control lists and cryptographic certificates.

The breaches were discovered after a security test suite, developed by the Oulu University Secure Programming Group (OUSPG) in Finland, was applied to a variety of popular LDAP-enabled products. The testing involved sending sample packets containing unexpected values or illegally formatted data to those products.

According to the CERT advisory, the testing revealed that....continued......

To continue reading this article at ComputerWorld Click Here