OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Shiva Access Manager 5.0.0 Plaintext LDAP root password.
From: Blaise St. Laurent (blaiseGEEKY.NET)
Date: Tue Jun 06 2000 - 13:36:53 CDT


In testing Intel's Shiva Access Manager RADIUS/Tacacs+
product, i recently came across an important security
hole in the LDAP connectivity on the Solaris platform
version of this product.

When you configure the S.A.M. to store all of it's
information in an LDAP directory, it asks that you give
it the root DN's name and password, which it then
stores in plaintext in the file

$SHIVA_HOME_DIR/insnmgmt/shiva_access_manager/radtac.ini

with the rest of the configuration, (including LDAP
server and port) which is by default world readable.
(owned by root). To get this information constitutes a
total breach of your LDAP server.

The company has been notified and I'm still awaiting a
statement with their response (i informed them 3 weeks
ago)

I haven't taken a look at the NT version of the
software to see if there is a similar vulnerability.

That being said, there is a possible workaround. Have
SAM use a non-root DN account on the LDAP server that
has just enough permissions to modify those fields
within the directory that are needed. I can forsee an
account that can only change the Shiva extensible
objects within the user profile. This limits the
ammount of damage that may be done, but doesn't
aleviate the problem of having someone with
unauthorized write priveledges in your directory.

Blaise St-Laurent
Security Consultant

DISCLAIMER: The contents of this email are my own
findings and do not in any way have anything to do with
the company that employs me, or the clients we may work
with.