A Finnish university project to test the security of communications protocols has revealed serious vulnerabilities in several implementations of the Lightweight Directory Access Protocol (LDAP) affecting products such as Lotus Development Corp.'s Domino and Microsoft Corp.'s Exchange servers.
The vulnerabilities could result in denial-of-service attacks and unauthorized privileged access, and were discovered in LDAP-enabled products from nine vendors, according to an advisory posted this morning by Carnegie Mellon University's CERT Coordination Center.
Apart from Domino and Exchange server, other LDAP-enabled products found with security problems include Sun Microsystems Inc.'s iPlanet Directory Server, IBM's SecureWay Directory, Qualcomm Corp.'s Eudora Worldmail and Network Associates Inc.'s PGP Keyserver, according to CERT.
Information on patch availability is posted on CERT's Web site, along with advice for users on how to limit the vulnerabilities by blocking access to directory services at the network perimeter.
LDAP is basically a protocol used to access directories containing critical information such as user names and authentication information, addresses, access control lists and cryptographic certificates.
The breaches were discovered after a security test suite, developed by the Oulu University Secure Programming Group (OUSPG) in Finland, was applied to a variety of popular LDAP-enabled products. The testing involved sending sample packets containing unexpected values or illegally formatted data to a variety of LDAP-enabled products.
According to the CERT advisory, the testing revealed that:
-- Sun's iPlanet server contains vulnerabilities that could allow remote attackers to execute arbitrary code.
-- Certain versions of IBM's SecureWay directory are vulnerable to denial-of-service attacks because of problems in LDAP handling code.
-- Vulnerabilities in LDAP handling code on the Domino R5 server and on Oracle Corp.'s 8i Enterprise Edition could allow remote attackers to run arbitrary code.
"The test suite revealed vulnerabilities that were lying dormant" in these products, said Jeffrey Lanza, a CERT member. "What this tells us is that this type of testing should have been applied earlier in the development process."
Without specific details on how the vulnerabilities can be exploited, "The likelihood of an attack coming as a result of this is relatively low," said Russ Cooper, an analyst at Reston, Va.-based security firm TruSecure Corp. The fact that LDAP isn't widely deployed on the Internet is another mitigating fact, he said.
"I think at this point people need to make sure they get themselves patched, but I wouldn't expect a wide range of attacks as a result of the vulnerabilities," Cooper said.
Still, "it is only a matter of time before a hacker tries this," said analyst Daniel Blum at the Burton Group. "Now that it's been published, [users] really need to pay attention to [it]."