COMMAND
iplanet
SYSTEMS AFFECTED
iplanet calendar server 5.0p2
PROBLEM
Adam Laurie found following. At the time of writing, 5.0p2 is
the currently available revision on iplanet's download site.
The standard install of iPlanet Calendar server stores the NAS
LDAP admin username and password in plaintext in the world
readable file:
-rw-r--r-- 1 icsuser icsgroup 37882 Feb 20 10:18 /opt/SUNWics5/cal/bin/config/ics.conf
in the fields
local.authldapbinddn (username)
and
local.authldapbindcred (password)
this potentially gives all local users full read/write access to
the underlying NAS LDAP database (which is normally used for admin
facilities such as storing user / group profiles, passwords, ACLs,
SSL certificates and/or other sensitive company information), and
full administrative control of the local NAS server. This access
could in turn lead to compromise of other facilities such as
web/e-commerce sites, directories etc.
We believe that the default install of the underlying NAS LDAP
server and associated administration packages allow remote admin
via tcp/ip, so other remote compromises that allow reading of
world readable files (or any other disclosures of the above file
contents) could lead to full remote read/write access of the NAS
LDAP database and full remote administrative control of the
server.
SOLUTION
This was reported to iplanet at the end of february 2001, who
requested Adam to submit it to netscape's online bug-tracking
system which he did on 3rd march. He has heard nothing from them
since. He has not personally investigated or tested any fix for
this.
The ownership on the file is icsuser and group is icsgroup. The
security mode on this file does not need to allow read access by
anyone who is not in the icsgroup. Thus, the permissions may be
set to - r w - r - - - - - with no adverse effects. This will
secure the administrative access to this calendar-specific LDAP
serve.