CVE-2017-11501

NixOS 17.03 and earlier has an unintended default absence of SSL Certificate Validation for LDAP. The users.ldap NixOS module implements user authentication against LDAP servers via a PAM module. It was found that if TLS is enabled to connect to the LDAP server with users.ldap.useTLS, peer verification will be unconditionally disabled in /etc/ldap.conf.

CVSS v3 5.9 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector : AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://openwall.com/lists/oss-security/2017/07/20/1	Mailing List Mitigation Patch Third Party Advisory
https://github.com/NixOS/nixpkgs/issues/27506	Issue Tracking Third Party Advisory
https://groups.google.com/forum/#%21topic/nix-security-announce/qrDU0KH_ZRk

Configurations

Configuration 1 (hide)

cpe:2.3:o:nixos_project:nixos:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-07-20 23:29

Updated : 2023-11-07 02:38

NVD link : CVE-2017-11501

Mitre link : CVE-2017-11501

CVE.ORG link : CVE-2017-11501

JSON object : View

Products Affected

nixos_project

nixos

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2017-11501", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2017-07-20T23:29:00.247", "references": [{"url": "http://openwall.com/lists/oss-security/2017/07/20/1", "tags": ["Mailing List", "Mitigation", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/NixOS/nixpkgs/issues/27506", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://groups.google.com/forum/#%21topic/nix-security-announce/qrDU0KH_ZRk", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "NixOS 17.03 and earlier has an unintended default absence of SSL Certificate Validation for LDAP. The users.ldap NixOS module implements user authentication against LDAP servers via a PAM module. It was found that if TLS is enabled to connect to the LDAP server with users.ldap.useTLS, peer verification will be unconditionally disabled in /etc/ldap.conf."}, {"lang": "es", "value": "NixOS versi\u00f3n 17.03 y anteriores tienen una ausencia predeterminada involuntaria de la comprobaci\u00f3n de certificado SSL para LDAP. El m\u00f3dulo users.ldap NixOS implementa la identificaci\u00f3n de usuarios contra servidores LDAP por medio de un m\u00f3dulo PAM. Se encontr\u00f3 que si TLS est\u00e1 habilitado para conectarse al servidor LDAP con users.ldap.useTLS, la verificaci\u00f3n entre iguales se deshabilitar\u00e1 incondicionalmente en /etc/ldap.conf."}], "lastModified": "2023-11-07T02:38:17.983", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:nixos_project:nixos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17B2506F-7453-4F4D-BC34-94FD6A02DB24", "versionEndIncluding": "17.03"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}