> From: J. Tozo > Sent: Thursday, January 22, 2015 1:06 PM > > Its can be considered a minor weakness because it makes easier to > successfully
You know what you don't do for a "minor weakness"? Publish a CVE with a title including "allows remote attackers to bypass LDAP authentication via crafted wildcards". Because you know what it means to "bypass authentication"? It means you don't have to authenticate, and can gain access to resources without knowing a valid username/password. Which made it seem pretty silly to get to the middle of your posting and see " A valid username and password required". Really? If I know a username and password, I can "bypass" authentication for *that* user? Wow, that's serious 8-/. Not. > perpetrate a bruteforce attack. Using common passwords and guessing the > username using the wildcards. Then perhaps you should've titled your CVE "allows remote attackers to more easily bruteforce access with limited knowledge of usernames"? Of course, given the limitation that the wildcard must match one and exactly one user kind of limits even that vulnerability. > A valid username and a password is required to you simulate if you system > have > or not this vulnerability. Actually, all that is required to determine whether or not your implementation has this vulnerability is to look at your configuration and see if you're using the FastBindLdapAuthenticationHandler or the BindLdapAuthenticationHandler. If it's the former, you are simply not vulnerable. Period. And even if the latter, there is no "authentication bypass" occurring. > If you need to upgrade or not your server its up to you to decide! That's true. And you know what I would appreciate to help me decide? Accurate vulnerability assessment and reporting. Perhaps some advanced notice a security update is coming out. As opposed to an email delivered in the middle of the night (at least in my time zone), which says there is a "security fix" for CVE-2015-1169 and "You must upgrade if you use LDAP authentication." And an artificially inflaming title for said CVE declaring there is a "remote attacker authentication bypass" vulnerability. I had better things to do this morning then spend two hours in a panic worried my authentication systems were susceptible to a serious security vulnerability. When in actuality other than your theoretical "bruteforce more easily" issue, even if your system is "vulnerable" to this, there is no known practical security implication thereof. And anybody using the fast bind implementation is simply not vulnerable. -- Paul B. Henson | (909) 979-6361 | http://www.cpp.edu/~henson/ Operating Systems and Network Analyst | [email protected] California State Polytechnic University | Pomona CA 91768 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
