NIX-2017-0003: LDAP with useTLS disabled TLS peer verification

[Graham Christensen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Nix Security Advisory
NIX-2017-0003
2017-07-19
---------------------
LDAP with useTLS disabled TLS peer verification


Description
===========

The users.ldap NixOS module implements user authentication against LDAP
servers via a PAM module. It was found that if TLS is enabled to connect
to the LDAP server with users.ldap.useTLS, peer verification will be
unconditionally disabled in /etc/ldap.conf.


Impact
======

A man-in-the-middle attack can be performed by an attacker between a
machine with enabled LDAP authentication and the LDAP server. Even
though TLS is enabled an attacker is able to impersonate the LDAP server
with an invalid certificate.

Attackers might be able to steal user password hashes or service account
credentials in plaintext.


Vulnerable Systems
==================

NixOS 16.09 and earlier releases are unsupported and vulnerable.

Distribution First Non-Vulnerable Commit
------------ ---------------------------
nixos-17.03 b3fa6295ad5a040a1628cb89da26a0f6c347ac65
nixos-unstable 2b2a6f20701c4740526a8976f3ac60fc6be797e2

Channel First Non-Vulnerable Release
------- ----------------------------
nixos-17.03-small nixos-17.03.1581.b3fa6295ad
nixos-17.03 expected within 3 hours
nixos-unstable-small unknown
nixos-unstable unknown


Mitigation
==========

Option A:

Set users.ldap.useTLS to false, and manually specify TLS in the
extraConfig:


{
users.ldap.useTLS = false;
users.ldap.extraConfig = ''
ssl start_tls
'';
}

Option B:

Switch your NixOS channel to nixos-17.03-small, update, and
nixos-rebuild switch:

# nix-channel --add https://nixos.org/channels/nixos-17.03-small nixos
# nix-channel --update
# nixos-rebuild switch


Resolution
==========

NixOS now does not add "tls_checkpeer no" to the LDAP configuration
when users.ldap.useTLS is enabled. Users who need this behavior can
add it back via the users.ldap.extraConfig option.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAllv++MACgkQBhIdNm/p
Q1xbNA/+OC/0YePgyqJ3YCoFML8j7B23EM75DJcAemiaeKdxvzFZQc2v1SQp6POX
e3dq0RJ8RR5k9JRqHxYF4/lBMe5McUdL6nFVRVA8AJLY5Dsdeqq41Fpg54I2KmZI
+oVZqcNcOYNdQB0jr5vDC/1dOOvfwUxxfYD+xtaiRn+ELTH/tcQe9oU/2O/nz5Nl
JlcjRPsxwRI1DsZeq5Cp+jcCO0GsJOWrCO6h6gkQheq5vNVhOD4+WYjvsRVYsG45
30hVrC1D/tR/VJSXx6CaUEbNMEJ3R4N+eyXq7uDH6WmYEuaOzPqgQqXprKKYVA9c
Hdh9gWGXTuJR5khMll+5NeY+BVRr/kwYsaHg+fdlcpbTHox/z/7St/Jlbj83jxDt
bU8AnsvMbOeuk5Ynsuqfk7Vrg1uh6pUc35N+is2MCKR15NO/lcvSUFSpoecp8pAC
cJPtIp6oaicXBUF+CklHmuy3v43q2gbckfp4fIkNoq+Pxu80EIXc6Cy9mIIvgbx7
JmZ/UxzLW3GHtDWiqFXTtrLhJC20Su5jXC+9jnPiWfBjQKw6L2sdVakugYLmXzAQ
7EXs4OxccvxFuKxRiG5QbeZiyrzgdkeMOICWe+mGbHzTJrjl8wLG2awYC1J50pEr
TNQoZNK7pQCHe+G6ponJJig9GNMNWaheInsJ+pShqIYxmhr/qRo=
=YvT+
-----END PGP SIGNATURE-----