Gentoo Logo

pam_ldap and nss_ldap: Plain text authentication leak


1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200507-13 / pam_ldap nss_ldap
Release Date July 14, 2005
Latest Revision July 14, 2005: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
sys-auth/nss_ldap < 239-r1 >= 239-r1, revision >= 226-r1 All supported architectures
sys-auth/pam_ldap < 178-r1 >= 178-r1 All supported architectures

Related bugreports: #96767


pam_ldap and nss_ldap fail to restart TLS when following a referral, possibly leading to credentials being sent in plain text.

2.  Impact Information


pam_ldap is a Pluggable Authentication Module which allows authentication against an LDAP directory. nss_ldap is a Name Service Switch module which allows 'passwd', 'group' and 'host' database information to be pulled from LDAP. TLS is Transport Layer Security, a protocol that allows encryption of network communications.


Rob Holland of the Gentoo Security Audit Team discovered that pam_ldap and nss_ldap fail to use TLS for referred connections if they are referred to a master after connecting to a slave, regardless of the "ssl start_tls" ldap.conf setting.


An attacker could sniff passwords or other sensitive information as the communication is not encrypted.

3.  Resolution Information


pam_ldap and nss_ldap can be set to force the use of SSL instead of TLS.


All pam_ldap users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-auth/pam_ldap-178-r1"

All nss_ldap users should upgrade to the latest version:

Code Listing 3.2: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose sys-auth/nss_ldap

4.  References


Page updated July 14, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2015 Gentoo Foundation, Inc. Questions, Comments? Contact us.