Vulnerability CVE-2009-1073

Vulnerability Name:

CVE-2009-1073 (CCN-49394)

Assigned:

2009-03-20

Published:

2009-03-20

Updated:

2009-04-08

Summary:

nss-ldapd before 0.6.8 uses world-readable permissions for the /etc/nss-ldapd.conf file, which allows local users to obtain a cleartext password for the LDAP server by reading the bindpw field.

CVSS v3 Severity:

4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.9 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:N/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)
1.6 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Obtain Information

References:

Source: CONFIRM
Type: Exploit
http://arthurenhella.demon.nl/viewvc/nss-ldapd/nss-ldapd/debian/libnss-ldapd.postinst?r1=795&r2=813

Source: CONFIRM
Type: UNKNOWN
http://arthurenhella.demon.nl/viewvc/nss-ldapd/nss-ldapd/man/nss-ldapd.conf.5.xml?r1=805&r2=806

Source: CCN
Type: Debian Bug report logs - #520476
libnss-ldapd: /etc/nss-ldapd.conf is created world-readable, exposing bindpw

Source: CONFIRM
Type: Patch
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520476

Source: CONFIRM
Type: UNKNOWN
http://ch.tudelft.nl/~arthur/nss-ldapd/news.html#20090322

Source: MITRE
Type: CNA
CVE-2009-1073

Source: MISC
Type: UNKNOWN
http://launchpad.net/bugs/cve/2009-1073

Source: SECUNIA
Type: UNKNOWN
34523

Source: DEBIAN
Type: Patch
DSA-1758

Source: DEBIAN
Type: DSA-1758
nss-ldapd -- insecure config file creation

Source: MLIST
Type: UNKNOWN
[oss-security] 20090323 CVE request -- ucd-snmp / net-snmp, libnss-ldapd / nss_ldap

Source: MLIST
Type: UNKNOWN
[oss-security] 20090324 Re: CVE request -- ucd-snmp / net-snmp, libnss-ldapd / nss_ldap

Source: MLIST
Type: UNKNOWN
[oss-security] 20090324 Re: CVE request -- ucd-snmp / net-snmp, libnss-ldapd / nss_ldap

Source: MLIST
Type: UNKNOWN
[oss-security] 20090324 Re: CVE request -- ucd-snmp / net-snmp, libnss-ldapd / nss_ldap

Source: CCN
Type: OSVDB ID: 53198
nss-ldapd /etc/nss-ldapd.conf LDAP Server Local Cleartext Password Disclosure

Source: CCN
Type: PADL Software Pty Ltd Web site
nss_ldab

Source: BID
Type: UNKNOWN
34211

Source: CCN
Type: BID-34211
PADL nss_ldap '/etc/nss_ldapd.conf' Local Information Disclosure Vulnerability

Source: CCN
Type: Red Hat Bugzilla Bug 491623
nss_ldap: LDAP service configuration file shipped with world readable permissions

Source: XF
Type: UNKNOWN
nssldap-credentials-information-disclosure(49394)

Vulnerable Configuration:

Configuration 1:

cpe:/a:debian:nss-ldap:0.1:*:*:*:*:*:*:*

OR cpe:/a:debian:nss-ldap:0.2:*:*:*:*:*:*:*

OR cpe:/a:debian:nss-ldap:0.2.1:*:*:*:*:*:*:*

OR cpe:/a:debian:nss-ldap:0.3:*:*:*:*:*:*:*

OR cpe:/a:debian:nss-ldap:0.4:*:*:*:*:*:*:*

OR cpe:/a:debian:nss-ldap:0.4.1:*:*:*:*:*:*:*

OR cpe:/a:debian:nss-ldap:0.5:*:*:*:*:*:*:*

OR cpe:/a:debian:nss-ldap:0.6:*:*:*:*:*:*:*

OR cpe:/a:debian:nss-ldap:0.6.1:*:*:*:*:*:*:*

OR cpe:/a:debian:nss-ldap:0.6.2:*:*:*:*:*:*:*

OR cpe:/a:debian:nss-ldap:0.6.3:*:*:*:*:*:*:*

OR cpe:/a:debian:nss-ldap:0.6.4:*:*:*:*:*:*:*

OR cpe:/a:debian:nss-ldap:0.6.5:*:*:*:*:*:*:*

OR cpe:/a:debian:nss-ldap:0.6.6:*:*:*:*:*:*:*

OR cpe:/a:debian:nss-ldap:*:*:*:*:*:*:*:* (Version <= 0.6.7)

Configuration CCN 1:

cpe:/a:debian:nss-ldap:0.6.7:*:*:*:*:*:*:*