Identity Fusion Responds to Directory Services (OpenDJ) Security Advisory #201703

ForgeRock released Security Advisory #201703 covering two medium security vulnerabilities for Directory Services (OpenDJ) impacting versions 2.6 on up to 3.5.1 as well as the embedded OpenDJ in OpenAM 12.X, 13.0.0, and 13.5.0.

Vulnerability Issue #201703-01: Bind Request trace logging shows plaintext password

The first vulnerability “Bind Request trace logging shows plaintext password”, is only applicable if stack trace logging has been enabled on your OpenDJ server. This is not enabled out of the box and is not something Identity Fusion leaves enabled for their customers as it results in very large log files and can impact performance.

Is your OpenDJ server vulnerable?

This vulnerability exists in OpenDJ 3 to 3.5.1. You can determine if your OpenDJ server is vulnerable by checking if the steps documented in “Enable Debug Logging” on the Troubleshooting Server Problems section of the OpenDJ Administration Guide have been followed. Another option is to authenticate as Directory Manager against your OpenDJ server, then look in the OpenDJ log directory for a file named debug and determine if it contains your Directory Manager password.

What should you do if your server is vulnerable?

Disabling the debug log and deleting the existing debug logs is enough to protect you from this vulnerability until you have time to apply the patch.

While you’re checking for plain text passwords…

While you’re checking on this vulnerability, we also recommend you check shell histories for commands containing the Directory Manager password. This is something we often see at customer’s sites and is easily remedied.

Which servers should you check?

Keep in mind that any Unix or Unix variant that can communicate with the LDAP server could possibly have Directory Manager passwords in the command line, such as on an OpenAM server, so check more than just the OpenDJ servers. When you find the plain text password in a shell history, delete or edit the shell history of the user to remove the applicable commands and train your staff to prevent leaving the Directory Manager password in the shell history.

How do you keep from using plain text passwords with OpenDJ’s tools?

The LDAP tools that come with OpenDJ have options for prompting the user for the password as well as specifying a file that contains the password in plain text. For many of the tools, such as ldapsearch, the options are the same:

-w -
--bindPassword -

Specifying a value of “-” with -w or --bindPassword causes ldapsearch to prompt the user for the bind password before the command executes.

-j /path/to/file/name.txt
--bindPasswordFile /path/to/file/name.txt

With this option, the user places the password in a text file right before use of the OpenDJ tools and deletes the file when they are done using the tools for that session.  However, if the user does not delete the file immediately after no longer needing it, the plain text password remains on the file system which in itself is a risk.

Not all OpenDJ tools use those options or use them with the same option name, so use the --help option to review that tool’s available options.

 

Vulnerability Issue #201703-02: Sending random data to LDAP/LDAPS ports may expose information about the service

The second vulnerability “Sending random data to LDAP/LDAPS ports may expose information about the service”, exposes the vendor name of the LDAP server, but does not expose the version or any other additional information.

The following is an example of the information that is exposed:

Cannot decode the provided ASN.1 sequence as an LDAP message because the first element of the sequence could not be decoded as an integer message ID: org.forgerock.opendj.ldap.DecodeException: Cannot decode the provided ASN.1 integer element because the length of the element value was not between one and four bytes (actual length was 55)

Is your OpenDJ server vulnerable?

This vulnerability exists in OpenDJ 2.6 to 3.5.1. You can determine if your OpenDJ server is vulnerable by connecting to it on the LDAP or LDAPS port and sending a large chunk of random data to it. If you see the information I listed above, you were able to trigger the vulnerability.

What should you do if your server is vulnerable?

There isn’t much you can do about this prior to applying the patch. If you block all internet access to your OpenDJ servers, the concern that remains is a malicious employee would be able to determine you’re running a ForgeRock OpenDJ server. However, that information can also be learned through normal business interactions or through light social engineering, so the risk associated with the second vulnerability, when combined with networking rules restricting access to your OpenDJ ports, is relatively low.

Where can you find the patches?

If your version of OpenDJ has never been patched, you may download the patch from Backstage under Security Advisory #201703.

If your version of OpenDJ already contains one or more patches and you wish to patch OpenDJ, please open a ticket with ForgeRock Support requesting a patch updated for your organization.

And, of course…

If you need our assistance, please let us know and we’ll be happy to assist.

Leave a comment

Leave a Reply