COMMAND

    iplanet

SYSTEMS AFFECTED

    iplanet calendar server 5.0p2

PROBLEM

    Adam Laurie  found following.   At the  time of  writing, 5.0p2 is
    the currently available revision on iplanet's download site.

    The standard  install of  iPlanet Calendar  server stores  the NAS
    LDAP  admin  username  and  password  in  plaintext  in  the world
    readable file:

        -rw-r--r--   1 icsuser  icsgroup   37882 Feb 20 10:18   /opt/SUNWics5/cal/bin/config/ics.conf

    in the fields

        local.authldapbinddn (username)

    and

        local.authldapbindcred (password)

    this potentially gives all  local users full read/write  access to
    the underlying NAS LDAP database (which is normally used for admin
    facilities such as storing user / group profiles, passwords, ACLs,
    SSL certificates and/or other sensitive company information),  and
    full administrative control of the local NAS server.  This  access
    could  in  turn  lead  to  compromise  of other facilities such as
    web/e-commerce sites, directories etc.

    We believe  that the  default install  of the  underlying NAS LDAP
    server and associated  administration packages allow  remote admin
    via  tcp/ip,  so  other  remote  compromises that allow reading of
    world readable files (or any  other disclosures of the above  file
    contents) could lead to full  remote read/write access of the  NAS
    LDAP  database  and  full  remote  administrative  control  of the
    server.

SOLUTION

    This was  reported to  iplanet at  the end  of february  2001, who
    requested  Adam  to  submit  it  to netscape's online bug-tracking
    system which he did on 3rd march.  He has heard nothing from  them
    since.  He has not  personally investigated or tested any  fix for
    this.

    The ownership on the file is  icsuser and group is icsgroup.   The
    security mode on this file does  not need to allow read access  by
    anyone who is not in the  icsgroup.  Thus, the permissions may  be
    set to - r  w - r -  - - - -  with no adverse effects.   This will
    secure the  administrative access  to this  calendar-specific LDAP
    serve.