IBM said it is working on developing and distributing fixes to a vulnerability detected in IBM Tivoli Directory Server 6.x that could leave the software exposed to denial-of-service attacks.
According to IBM, Tivoli Directory Server 6.x provides an LDAP identity infrastructure that can serve as the foundation for deploying identity management applications and Web services. The flaw, detected earlier this week, was deemed less critical by Secunia Research, which reported the vulnerability in a security advisory. The vulnerability has been discovered in Version 6 of the software and the Web site indicates other versions could be affected.
According to the Secunia security advisory, the vulnerability is caused due to an error within the LDAP server when handling certain requests, and "this can be exploited to crash the server via specially-crafted request sent to port 389/tcp." The error can cause the server to crash due to a denial-of-service attack committed on the local network, but security experts say the threat is minimal considering the nature of the flaw.
"This flaw is not as critical as some because it can only be exploited on the local network and even if it is compromised, the error would only be able to crash the server, not expose the data or put information at risk," says Steve Manzuik, security product manager with eEye Research. "Basically, someone on the local network could crash the machine running the software. It doesn't allow for any kind of actual access to the machine or to the data."
The Secunia Web site suggests until IBM readies patches that Tivoli Directory Server administrators restrict access to the LDAP service in the software and on the server. Because the flaw can only be exploited on the local network, Manzuik says the threat becomes even less critical, but still should be addressed.
"It's definitely something you should patch, but not something to patch out of your normal patch process," he explains. "IBM is fairly responsive to flaws. Patching this for customers just depends on how quickly IBM can get the patch out."
Big Blue, which last year addressed a similar flaw with the directory software, reported it is working to develop and deliver fixes to the problem across the platforms it affects throughout February.
A company spokeswoman says while IBM is still working to discover all customers impacted, the flaw does not impact AIX platforms. And while the spokeswoman says the directory server software isn't one of the more popular IBM products, the company is expected next week to release more information on the specific fixes for various platforms and address the issue in letters to customers.