You are here

U-227: bind-dyndb-ldap DN Escaping Flaw Lets Remote Users Deny Service

August 3, 2012 - 7:00am

Addthis

PROBLEM:

bind-dyndb-ldap DN Escaping Flaw Lets Remote Users Deny Service

PLATFORM:

bind-dyndb-ldap

ABSTRACT:

A vulnerability has been reported in bind-dyndb-ldap, which can be exploited by malicious people to cause a DoS (Denial of Service).

reference LINKS:

Secunia Advisory SA50086
Vulnerability Report: bind-dyndb-ldap
SecurityTracker Alert ID: 1027341
RHSA-2012: 1139-1
CVE-2012-3429

IMPACT ASSESSMENT:

Medium

Discussion:

The vulnerability is caused due to an error in the "dns_to_ldap_dn_escape()" function (src/ldap_convert.c) when escaping DN values for the LDAP query. This can be exploited to hang the named process and render the service unusable.

Impact:

A remote user can cause the target named service to crash.

Solution:

Updates are available, please visit: source code fix

Addthis