View Source

Original release date: July 16, 2001<BR> 
Last revised: December 10, 2001<BR>
Source: CERT/CC<BR>

<P>A complete revision history can be found at the end of this file.

<A NAME="affected">
<H3>Systems Affected</H3>

<UL>
<LI>iPlanet Directory Server, version 5.0 Beta and versions up to and
including 4.13</LI>

<LI>IBM SecureWay V3.2.1 running under Solaris and Windows 2000</LI>

<LI>Lotus Domino R5 Servers (Enterprise, Application, and Mail), prior to
5.0.7a</LI>

<LI>Critical Path LiveContent Directory, version 8A.3</LI>

<LI>Critical Path InJoin Directory Server, versions 3.0, 3.1, and 4.0</LI>

<LI>Teamware Office for Windows NT and Solaris, prior to version
5.3ed1</LI>

<LI>Qualcomm Eudora WorldMail for Windows NT, version 2</LI>

<LI>Microsoft Exchange 5.5 prior to Q303448 and Exchange 2000 prior to
Q303450</LI>

<LI>Network Associates PGP Keyserver 7.0, prior to Hotfix 2</LI>

<LI>Oracle Internet Directory, versions 2.1.1.x and 3.0.1</LI>

<LI>OpenLDAP, 1.x prior to 1.2.12 and 2.x prior to 2.0.8</LI>

</UL>

<A NAME="overview">
<H2>Overview</H2>

<P>Several implementations of the Lightweight Directory Access Protocol
(LDAP) protocol contain vulnerabilities that may allow denial-of-service
attacks, unauthorized privileged access, or both.  If your site uses any
of the products listed in this advisory, the CERT/CC encourages you to
follow the advice provided in the <A HREF="#solution">Solution</A> section
below.

<A NAME="description">
<H2>I. Description</H2>

<A NAME="ldap">
<P>The LDAP protocol provides access to directories that support the <A
HREF="http://www.ietf.org/rfc/rfc2116.txt">X.500</A> directory semantics
without requiring the additional resources of X.500.  A directory is a
collection of information such as names, addresses, access control lists,
and cryptographic certificates.  Because LDAP servers are widely used in
maintaining corporate contact information and providing authentication
services, any threats to their integrity or stability can jeopardize the
security of an organization.

<P>To test the security of protocols like LDAP, the <A
HREF="http://www.ee.oulu.fi/research/ouspg/protos/">PROTOS</A> project
presents a server with a wide variety of sample packets containing
unexpected values or illegally formatted data.  This approach may reveal
vulnerabilities that would not manifest themselves under normal
conditions.  As a member of the PROTOS project consortium, the Oulu
University Secure Programming Group (OUSPG) co-developed and subsequently
used the <A
HREF="http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/">
PROTOS LDAPv3 test suite</A> to study several implementations of the LDAP
protocol.

<A NAME="suite">
<P>The PROTOS LDAPv3 test suite is divided into two main sections: the
"Encoding" section, which tests an LDAP server's response to packets that
violate the <A HREF="#asn1-ber">Basic Encoding Rules</A> (BER), and the
"Application" section, which tests an LDAP server's response to packets
that trigger LDAP-specific application anomalies.  Each section is further
divided into "groups" that collectively exercise a particular encoding or
application feature.  Finally, each group contains one or more "test
cases," which represent the network packets that are used to test
individual exceptional conditions.

<P>By applying the PROTOS LDAPv3 test suite to a variety of popular
LDAP-enabled products, the OUSPG revealed the following vulnerabilities:

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/276944">VU#276944</A> - iPlanet
Directory Server contains multiple vulnerabilities in LDAP handling code
</B>

<P>The iPlanet Directory Server contains multiple vulnerabilities in the
code that processes LDAP requests.

<P>In the encoding section of the test suite, this product had an
indeterminate number of failures in the group that tests invalid BER
length of length fields.

<P>In the application section of the test suite, this product failed four
groups and had inconclusive results for an additional five groups.  The
four failed groups indicate the presence of buffer overflow
vulnerabilities.  For the inconclusive groups, the product exhibited
suspicious behavior while testing for format string vulnerabilities.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/505564">VU#505564</A> - IBM
SecureWay Directory is vulnerable to denial-of-service attacks via LDAP
handling code
</B>

<P>The IBM SecureWay Directory server contains one or more buffer overflow
vulnerabilities in the code that processes LDAP requests.  These
vulnerabilities were discovered independently by IBM using the PROTOS
LDAPv3 test suite.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/583184">VU#583184</A> - Lotus
Domino R5 Server Family contains multiple vulnerabilities in LDAP handling
code
</B>

<P>The Lotus Domino R5 Server Family (including the Enterprise,
Application, and Mail servers) contains multiple vulnerabilities in the
code that processes LDAP requests.

<P>In the encoding section of the test suite, this product failed 1 of 77
groups.  The failed group tests a server's response to miscellaneous
packets with semi-valid BER encodings.

<P>In the application section of the test suite, this product failed 23 of
77 groups.  These results suggest that both buffer overflow and format
string vulnerabilities are likely to be present in a variety of
application components.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/657547">VU#657547</A> -
Critical Path directory products contain multiple vulnerabilities in LDAP
handling code
</B>

<P>The InJoin Directory Server and LiveContent Directory both contain
multiple vulnerabilities in the code that processes LDAP requests.  These
vulnerabilities were discovered independently by Critical Path using the
PROTOS LDAPv3 test suite.  

<P>The tests conducted by Critical Path demonstrated failures in both the
encoding and application sections of the test suite.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/688960">VU#688960</A> -
Teamware Office contains multiple vulnerabilities in LDAP handling code
</B>

<P>The Teamware Office suite is packaged with a combination X.500/LDAP
server that provides directory services.  Multiple versions of the Office
product contain vulnerabilities that cause the LDAP server to crash in
response to traffic sent by the PROTOS LDAPv3 test suite.

<P>In the encoding section of the test suite, this product failed 9 of 16
groups involving invalid encodings for several BER object types.

<P>In the application section of the test suite, this product failed 4 of
32 groups.  The remaining 45 groups were not exercised during the test
runs.  The four failed groups indicate the presence of buffer overflow
vulnerabilities.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/717380">VU#717380</A> -
Potential vulnerabilities in Qualcomm Eudora WorldMail Server LDAP
handling code
</B>

<P>While investigating the vulnerabilities reported by OUSPG, it was
brought to our attention that the Eudora WorldMail Server may contain
vulnerabilities that can be triggered via the PROTOS test suite.  The
CERT/CC has reported this possibility to Qualcomm and an investigation is
pending.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/763400">VU#763400</A> -
Microsoft Exchange LDAP Service is vulnerable to denial-of-service attacks
</B>

<P>The LDAP Service components of Microsoft Exchange 5.5 and Exchange 2000
contain vulnerabilities that cause affected LDAP servers to freeze in
response to malformed LDAP requests generated by the PROTOS test
suite. This only affects the LDAP service; all other Exchange services,
including mail handling, continue normally.

<P>Although these products were not included in OUSPG's initial testing,
subsequent informal testing revealed that the LDAP service of Microsoft
Exchange became unresponsive while processing test cases containing
exceptional BER encodings for the LDAP filter type field.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/765256">VU#765256</A> - Network
Associates PGP Keyserver contains multiple vulnerabilities in LDAP
handling code
</B>

<P>The Network Associates PGP Keyserver 7.0 contains multiple
vulnerabilities in the code that processes LDAP requests.

<P>In the encoding section of the test suite, this product failed 12 of 16
groups.

<P>In the application section of the test suite, this product failed 1 of
77 groups.  The failed group focused on out-of-bounds integer values for
the messageID parameter.  Due to a peculiarity of this test group, this
failure may actually represent an encoding failure.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/869184">VU#869184</A> - Oracle
Internet Directory contains multiple vulnerabilities in LDAP handling code
</B>

<P>The Oracle Internet Directory server contains multiple vulnerabilities
in the code used to process LDAP requests.

<P>In the encoding section of the test suite, this product failed an
indeterminate number of test cases in the group that tests a server's
response to invalid encodings of BER OBJECT-IDENTIFIER values.

<P>In the application section of the test suite, this product failed 46 of
77 groups.  These results suggest that both buffer overflow and format
string vulnerabilities are likely to be present in a variety of
application components.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/935800">VU#935800</A> -
Multiple versions of OpenLDAP are vulnerable to denial-of-service attacks
</B>

<P>There are multiple vulnerabilities in the OpenLDAP implementations of
the LDAP protocol.  These vulnerabilities exist in the code that
translates network datagrams into application-specific information.

<P>In the encoding section of the test suite, this product failed the
group that tests the handling of invalid BER length of length fields.

<P>In the application section of the test suite, this product passed all
6685 test cases.

<A NAME="info">
<H3>Additional Information</H3>

<A NAME="latest">
<H4>Latest Information</H4>

<P>For the latest information regarding these vulnerabilities, please
visit the CERT/CC Vulnerability Notes Database at:

<DL><DD><A
HREF="http://www.kb.cert.org/vuls/">http://www.kb.cert.org/vuls/</A>
</DD></DL>

<P>Please note that the test results summarized above should not be
interpreted as a statement of overall software quality.  However, the
CERT/CC does believe that these results are useful in describing the
characteristics of these vulnerabilities.  For example, an application
that fails multiple groups indicates that problems exist in different
areas of the code, rather than in a specific code segment.

<A NAME="others">
<A NAME="novell">
<H4>Other Tested Configurations</H4>

<P>Since the initial release of this document, the CERT/CC has learned
that the following products were tested with the PROTOS LDAPv3 test suite
and did not exhibit any failures or suspicious behavior

<UL>
<LI>Novell NDS eDirectory 8.5 under Windows NT 4.0</LI> 
<LI>Microsoft Active Directory for Windows 2000</LI>
</UL>

<P>Please note that each of these products was tested under only one of
several combinations of operating system and processor architecture.

<A NAME="impact">
<H2>II. Impact</H2>

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/276944">VU#276944</A> - iPlanet
Directory Server contains multiple vulnerabilities in LDAP handling code
</B>

<P>One or more of these vulnerabilities allow a remote attacker to execute
arbitrary code with the privileges of the Directory Server.  The server
typically runs with system privileges.  At least one of these
vulnerabilities has been successfully exploited in a laboratory
environment under Windows NT 4.0, but they may affect other platforms as
well.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/505564">VU#505564</A> - IBM
SecureWay Directory is vulnerable to denial-of-service attacks via LDAP
handling code
</B>

<P>These vulnerabilities allow a remote attacker to crash affected
SecureWay Directory servers, resulting in a denial-of-service condition.
It is not known at this time whether these vulnerabilities will allow a
remote attacker to execute arbitrary code.  These vulnerabilities exist on
the Solaris and Windows 2000 platforms but are not present under Windows
NT, AIX, and AIX with SSL.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/583184">VU#583184</A> - Lotus
Domino R5 Server Family contains multiple vulnerabilities in LDAP handling
code
</B>

<P>One or more of these vulnerabilities allow a remote attacker to execute
arbitrary code with the privileges of the Domino server.  The server
typically runs with system privileges.  At least one of these
vulnerabilities has been successfully exploited in a laboratory
environment.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/657547">VU#657547</A> -
Critical Path directory products contain multiple vulnerabilities in LDAP
handling code
</B>

<P>These vulnerabilities allow a remote attacker to crash affected
Critical Path directory servers, resulting in a denial-of-service
condition.  They may also allow a remote attacker to execute arbitrary
code with the privileges of the directory server.  The server typically
runs with system privileges.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/688960">VU#688960</A> -
Teamware Office contains multiple vulnerabilities in LDAP handling code
</B>

<P>These vulnerabilities allow a remote attacker to crash affected
Teamware LDAP servers, resulting in a denial-of-service condition.  They
may also allow a remote attacker to execute arbitrary code with the
privileges of the Teamware server.  The server typically runs with system
privileges.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/717380">VU#717380</A> -
Potential vulnerabilities in Qualcomm Eudora WorldMail Server LDAP handling
code
</B>

<P>The CERT/CC has not yet determined the impact of this vulnerability.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/763400">VU#763400</A> -
Microsoft Exchange LDAP Service is vulnerable to denial-of-service attacks
</B>

<P>These vulnerabilities allow a remote attacker to crash the LDAP
component of vulnerable Exchange 5.5 and Exchange 2000 servers, resulting
in a denial-of-service condition within the LDAP component.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/765256">VU#765256</A> - Network
Associates PGP Keyserver contains multiple vulnerabilities in LDAP
handling code
</B>

<P>One or more of these vulnerabilities allow a remote attacker to execute
arbitrary code with the privileges of the Keyserver.  The server typically
runs with system privileges.  At least one of these vulnerabilities has
been successfully exploited in a laboratory environment.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/869184">VU#869184</A> - Oracle
Internet Directory contains multiple vulnerabilities in LDAP handling code
</B>

<P>One or more of these vulnerabilities allow a remote attacker to execute
arbitrary code with the privileges of the Oracle server.  The server
typically runs with system privileges.  At least one of these
vulnerabilities has been successfully exploited in a laboratory
environment.

<B>
<P><A HREF="http://www.kb.cert.org/vuls/id/935800">VU#935800</A> -
Multiple versions of OpenLDAP are vulnerable to denial-of-service attacks
</B>

<P>These vulnerabilities allow a remote attacker to crash affected
OpenLDAP servers, resulting in a denial-of-service condition.

<P>To address these vulnerabilities, the OpenLDAP Project has released
OpenLDAP 1.2.12 for use in LDAPv2 environments and OpenLDAP 2.0.8 for use
in LDAPv3 environments.  The CERT/CC recommends that users of OpenLDAP
contact their software vendor or obtain the latest version, available at
<A
HREF="http://www.openLDAP.org/software/download/">http://www.openLDAP.org/software/download/</A>.

<A NAME="solution">
<H2>III. Solution</H2>

<H4>Apply a patch from your vendor</H4>

<P><A HREF="#vendors">Appendix A</A> contains information provided by
vendors for this advisory.  Please consult this appendix to determine if
you need to contact your vendor directly.

<H4>Block access to directory services at network perimeter</H4>

<P>As a temporary measure, it is possible to limit the scope of these
vulnerabilities by blocking access to directory services at the network
perimeter.  Please note that this workaround does not protect vulnerable
products from internal attacks.

<PRE>
ldap    389/tcp     # Lightweight Directory Access Protocol 
ldap    389/udp     # Lightweight Directory Access Protocol 
ldaps   636/tcp     # ldap protocol over TLS/SSL (was sldap) 
ldaps   636/udp     # ldap protocol over TLS/SSL (was sldap)
</PRE>

<A NAME="vendors">
<H2>Appendix A. - Vendor Information</H2>

<P>This appendix contains information provided by vendors for this
advisory.  As vendors report new information to the CERT/CC, we will
update this section and note the changes in our revision history.  If a
particular vendor is not listed below, we have not received their
comments.</P>

<A NAME="cp">
<H4>Critical Path</H4>

<P>Critical Path is committed to ensuring that all supported versions of
the Directory Server are free of vulnerabilities of the type identified in
the above referenced vulnerability note. The outcome of this will be at a
minimum, a patch or upgrade to remove the vulnerability from each of the
supported versions.

<P>Please visit Critical Path InJoin Directory Server support pages at (<A
HREF="http://support.cp.net/CP_Buffer_Overflow_Vulnerability.doc">http://support.cp.net/CP_Buffer_Overflow_Vulnerability.doc</A>)
for details on workarounds and patch availability information for the
potential vulnerabilities discovered in the InJoin Directory Server.

<A NAME="ibm">
<H4>IBM Corporation</H4>

<P>IBM and Tivoli are currently investigating the details of the
vulnerabilities in the various versions of the SecureWay product family.

<P>Fixes are being implemented as these details become known.

<P>Fixes will be posted to the download sites (IBM or Tivoli) for the
affected platform. See <A
HREF="http://www-1.ibm.com/support">http://www-1.ibm.com/support</A> under
"Server Downloads" or "Software Downloads" for links to the fix
distribution sites.

<PRE>
Platform         Failed Test Cases(index#/category)       Failure Symptoms

Solaris          #136/E0 encoding exception-invalid       Server crash
                 encodings for L field of BER
                 encoding.

Solaris          #6119/O7 application exception           Server crash
                 -large number of continuous
                 attributes offered to attribute
                 field.

Windows 2000     #452/E0 encoding exception               Server crash
                 -invalid encodings for L
                 field of BER encoding.

Windows 2000     #5554/O4 application exception-          Server crash
                 large number of continuous
                 initial substring offered to
                 substring filter.
</PRE>


<!-- end vendor -->

<A NAME="iplanet">
<H4>iPlanet E-Commerce Solutions</H4>

<P>iPlanet is aware of the weakness identified in the CERT Alert
CA-2001-18, regarding implementations of LDAP. The notice describes how
different vendors handle conditions outside of the normal operating
environment.

<P>It is important to note that the notice does not present a technique to
defeat information security, gain unauthorized access or affect data
integrity. At this time, iPlanet is not aware of ANY successful breach of
security using the information in the CERT Advisory.

<P>The iPlanet Directory Server 5.0 released in May 2001 is not
affected. iPlanet Directory Server 4.1.4 and earlier version are known to
be affected. However, iPlanet has developed a fix included in iPlanet
Directory Server 4.1.5 and is scheduled to ship within two weeks (on
August 3, 2001). Alternatively, customers may choose to upgrade to iPlanet
Directory Server 5.0

<P>iPlanet customers with questions on this advisory are requested to
contact iPlanet Technical Support who will provide full support and
up-to-date information.

<!-- end vendor -->

<A NAME="lotus">
<H4>Lotus Development Corporation</H4>

<P>Lotus reproduced the problem as reported by OUSPG and documented it in
<A
HREF="http://www.notes.net/r5fixlist.nsf/Search!SearchView&amp;Query=DWUU4W6NC8">SPR#DWUU4W6NC8</A>.

<P>Lotus responded quickly to resolve the problem in a maintenance update
to Domino.  It was addressed in Domino R5.0.7a, which was released on May
18th, 2001. This release can be downloaded from Notes.net at

<DL><DD><A
HREF="http://www.notes.net/qmrdown.nsf/qmrwelcome">http://www.notes.net/qmrdown.nsf/qmrwelcome</A>.
</DL></DD>

<P>The fix is documented in the fix list at

<DL><DD><A
HREF="http://www.notes.net/r5fixlist.nsf/Search!SearchView&amp;Query=DWUU4W6NC8">http://www.notes.net/r5fixlist.nsf/Search!SearchView&amp;Query=DWUU4W6NC8</A>
</DD></DL>

<!-- end vendor -->

<A NAME="microsoft">
<H4>Microsoft Corporation</H4>

<P>Microsoft is developing a hotfix for this issue which will be available
shortly.

<P>Customers can obtain this hotfix by contacting Product Support Services
at no charge and asking for Q303448 and Q303450.  Information on
contacting Microsoft Product Support Services can be found at

<DL><DD><A
HREF="http://www.microsoft.com/support/">http://www.microsoft.com/support/</A></DD></DL>

<A NAME="nai">
<H4>Network Associates, Inc.</H4>

<P>Network Associates has resolved these vulnerabilities in Hotfix 2 for
both Solaris and Windows NT.  All Network Associates Enterprise Support
customers have been notified and have been provided access to the Hotfix.

<P>This Hotfix can be downloaded at

<DL><DD><A
HREF="http://www.pgp.com/downloads/default.asp">http://www.pgp.com/downloads/default.asp</A></DD></DL>

<!-- end vendor -->

<A NAME="oracle">
<H4>Oracle Corporation</H4>

<P>Oracle has prepared a Solaris-based patch set for Oracle Internet
Directory versions 2.1.1.x and 3.0.1.  These patches were made available
on July 17, 2001 to Oracle Internet Directory customers via the Oracle
MetaLink (<A
HREF="http://metalink.oracle.com/">http://metalink.oracle.com/</A>)
system.

<P>Please visit Oracle Technology Network at <A
HREF="http://otn.oracle.com/deploy/security/alerts.htm">http://otn.oracle.com/deploy/security/alerts.htm</A>
for details on workarounds and patch availability information for the
potential buffer overflow vulnerabilities discovered in Oracle Internet
Directory.

<!-- end vendor -->

<A NAME="qualcomm">
<H4>QUALCOMM Incorporated</H4>

<P>The LDAP service in WorldMail may be vulnerable to this exploit, but
our tests so far have been inconclusive.  At this time, we strongly urge
all WorldMail customers to ensure that the LDAP service is not accessible
from outside their organization nor by untrusted users.

<!-- end vendor -->

<A NAME="sgi">
<H4>SGI</H4>

<P>SGI has released the following Security Advisory regarding <A
HREF="http://www.kb.cert.org/vuls/id/276944">VU#276944</A>

<DL><DD><A
HREF="ftp://patches.sgi.com/support/free/security/advisories/20011102-01-I">ftp://patches.sgi.com/support/free/security/advisories/20011102-01-I</A>
</DD></DL>

<!-- end vendor -->

<A NAME="teamware">
<H4>The Teamware Group</H4>

<P>An issue has been discovered with Teamware Office Enterprise Directory
(LDAP server) that shows a abnormal termination or loop when the LDAP
server encounters a maliciously or incorrectly created LDAP request data.

<P>If the maliciously formatted LDAP request data is requested, the LDAP
server may excessively copy the LDAP request data to the stack area.

<P>This overflow is likely to cause execution of malicious code.  In other
case, the LDAP server may go into abnormal termination or infinite loop.

<!-- end vendor -->

<A NAME="info">
<H2>Appendix B. - Supplemental Information</H2>

<A NAME="protos">
<H3>The PROTOS Project</H3>

<P>The PROTOS project is a research partnership between the <A
HREF="http://www.oulu.fi/Welcome.html">University of Oulu</A> and <A
HREF="http://www.vtt.fi/ele/indexe.htm">VTT Electronics</A>, an
independent research organization owned by the Finnish government.  The
project studies methods by which protocol implementations can be tested
for information security defects.

<P>Although the vulnerabilities discussed in this advisory relate
specifically to the LDAP protocol, the methodology used to research,
develop, and deploy the PROTOS LDAPv3 test suite can be applied to any
communications protocol.

<P>For more information on the PROTOS project and its collection of test
suites, please visit

<DL><DD> <A
HREF="http://www.ee.oulu.fi/research/ouspg/protos/">http://www.ee.oulu.fi/research/ouspg/protos/</A>
</DD></DL>

<A NAME="asn1-ber">
<H3>ASN.1 and the BER</H3>

<P>Abstract Syntax Notation One (ASN.1) is a flexible notation that allows
one to define a variety data types.  The Basic Encoding Rules (BER)
describe how to represent or encode the values of each ASN.1 type as a
string of octets. This allow programmers to encode and decode data for
platform-independent transmission over a network.

<A NAME="references">
<H3>References</H3>

<P>The following is a list of URLs referenced in this advisory as well as
other useful sources of information:

<DL>
<DD><A
HREF="http://www.cert.org/advisories/CA-2001-18.html">http://www.cert.org/advisories/CA-2001-18.html</A></DD>
<DD><A
HREF="http://www.ietf.org/rfc/rfc2116.txt">http://www.ietf.org/rfc/rfc2116.txt</A></DD>
<DD><A
HREF="http://www.ietf.org/rfc/rfc2251.txt">http://www.ietf.org/rfc/rfc2251.txt</A></DD>
<DD><A
HREF="http://www.ietf.org/rfc/rfc2252.txt">http://www.ietf.org/rfc/rfc2252.txt</A></DD>
<DD><A
HREF="http://www.ietf.org/rfc/rfc2253.txt">http://www.ietf.org/rfc/rfc2253.txt</A></DD>
<DD><A
HREF="http://www.ietf.org/rfc/rfc2254.txt">http://www.ietf.org/rfc/rfc2254.txt</A></DD>
<DD><A
HREF="http://www.ietf.org/rfc/rfc2255.txt">http://www.ietf.org/rfc/rfc2255.txt</A></DD>
<DD><A
HREF="http://www.ietf.org/rfc/rfc2256.txt">http://www.ietf.org/rfc/rfc2256.txt</A></DD>
<DD><A
HREF="http://www.ee.oulu.fi/research/ouspg/protos/">http://www.ee.oulu.fi/research/ouspg/protos/</A></DD>
<DD><A
HREF="http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/">http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/</A></DD>
<DD><A
HREF="http://www.kb.cert.org/vuls/">http://www.kb.cert.org/vuls/</A></DD>
<DD><A
HREF="http://www.kb.cert.org/vuls/id/276944">http://www.kb.cert.org/vuls/id/276944</A></DD>
<DD><A
HREF="http://www.kb.cert.org/vuls/id/505564">http://www.kb.cert.org/vuls/id/505564</A></DD>
<DD><A
HREF="http://www.kb.cert.org/vuls/id/583184">http://www.kb.cert.org/vuls/id/583184</A></DD>
<DD><A
HREF="http://www.kb.cert.org/vuls/id/657547">http://www.kb.cert.org/vuls/id/657547</A></DD>
<DD><A
HREF="http://www.kb.cert.org/vuls/id/688960">http://www.kb.cert.org/vuls/id/688960</A></DD>
<DD><A
HREF="http://www.kb.cert.org/vuls/id/717380">http://www.kb.cert.org/vuls/id/717380</A></DD>
<DD><A
HREF="http://www.kb.cert.org/vuls/id/763400">http://www.kb.cert.org/vuls/id/763400</A></DD>
<DD><A
HREF="http://www.kb.cert.org/vuls/id/765256">http://www.kb.cert.org/vuls/id/765256</A></DD>
<DD><A
HREF="http://www.kb.cert.org/vuls/id/869184">http://www.kb.cert.org/vuls/id/869184</A></DD>
<DD><A
HREF="http://www.kb.cert.org/vuls/id/935800">http://www.kb.cert.org/vuls/id/935800</A></DD>
</DL>

<HR NOSHADE>

<P>The CERT Coordination Center thanks the Oulu University Secure
Programming Group for reporting these vulnerabilities to us, for their
detailed technical analyses, and for their assistance in preparing this
advisory.  We also thank the many vendors who provided feedback regarding
their respective vulnerabilities.

<P></P>

<HR NOSHADE>

<P>Authors: Jeffrey P. Lanza and Cory F. Cohen.  <A
HREF="mailto:cert@cert.org?subject=CA-2001-18%20Feedback%20VU%23997840">Feedback</A>
on this advisory is greatly appreciated.

<P></P>

<!--#include virtual="/include/footer_nocopyright.html" -->

<P>Copyright 2001 Carnegie Mellon University.</P>

<P>Revision History
<PRE>
Jul 16, 2001: Initial release
Jul 17, 2001: Added Oracle vendor statement
Jul 17, 2001: Fixed link to IBM site
Jul 17, 2001: Updated Lotus vendor statement
Jul 19, 2001: Changed "Oracle 8i Enterprise Edition" to "Oracle Internet Directory"
Jul 19, 2001: Updated Microsoft sections to list Exchange 2000 as vulnerable
Jul 19, 2001: Added version numbers and impact information for IBM
Jul 24, 2001: Added revised Oracle vendor statement
Jul 26, 2001: Added Novell vendor section; Updated Microsoft statement
Jul 27, 2001: Added vendor statement from iPlanet
Aug 13, 2001: Moved OpenLDAP patch information to Impact section
Aug 13, 2001: Moved Novell and Microsoft unaffected product statements to Description section
Aug 13, 2001: Miscellaneous vendor statement fixes
Aug 13, 2001: Added information regarding Critical Path (VU#657547)
Dec 10, 2001: Added vendor information for SGI
</PRE>