{Security Vulnerability] ldapmavis-mt

[Marc Huber]

Previous versions of ldapmavis-mt mishandle zero-length user passwords for LDAP user authentication.

While some recent LDAP server implementations simply deny these requests, older servers may consider them as anonymous binds. If your setup uses ldapmavis-mt and your LDAP server permits anonymous binds with a DN set you might be at risk.

This issue affects ldapmavis-mt only. The script LDAP backends are safe.

There are several ways to remedy this issue:

Recommended: Upgrade to the current GIT, it comes with fixed code

Workaround A: Add a minimalistic script to reject zero-length passwords:

        mavis module = external-mt {
                script in {
                        if (defined $PASSWORD && $PASSWORD =~ /^$/) { set $RESULT = "NAK" return }
                        if (defined $PASSWDNEW && $PASSWDNEW =~ /^$/) { set $RESULT = "NAK" return }
                }
                # ...
                exec = /usr/local/sbin/ldapmavis-mt
        }

Workaround B: Switch to one of the script-based backends (mavis_tacplus-ng_ldap.pl/mavis_tacplus_ldap.pl/mavis_tacplus_ldap.py)

Acknowledgements: Thanks to sanjmonkey for reporting this issue via GitHub (https://github.com/MarcJHuber/event-driven-servers/issues/146).