Peter Winter-Smith of NGSSoftware has discovered a high risk vulnerability in Red Hat Directory Server and Red Hat Certificate Server. It is possible that under certain circumstances these flaws could permit an unauthenticated attacker to remotely compromise the Directory or Certificate server, in other circumstances this flaw could facilitate local privilege escalation to root. Affected versions include: Netscape Directory Server Red Hat Directory Server (prior to 7.1 SP1) Red Hat Certificate Server (prior to 7.1 SP1) These issues have been resolved in the latest patch releases for Red Hat Directory Server 7.1 (SP1) and for Red Hat Certificate Server 7.1 (SP1), which may be downloaded from the Red Hat Network. Release notes may be obtained at the following address: https://www.redhat.com/docs/manuals/dir-server/release- notes/ds71sp1relnotes.html Red Hat have included a vendor statement which may be viewed below: - ---------- Vendor statement: Red Hat, Inc: This issue affected Red Hat Directory Server 7.1, Red Hat Certificate System 7.1, and earlier Netscape releases of these products. The flaw is a stack buffer overflow related to the Help buttons available in the Admin pages of the Management Console. A remote attacker who is able to connect to the Management Console could send a carefully crafted request to trigger this flaw. Note that in general, access to the Management Console would usually be prevented by firewall configuration. Due to the nature of the affected code, this flaw is not able to lead to remote arbitrary code execution on Unix platforms. However, the flaw could be used by a local attacker to gain elevated (root) privileges. * Red Hat Directory Server 7.1 SP1, available via the Red Hat Network, contains a patch to correct this issue. https://www.redhat.com/docs/manuals/dir-server/release- notes/ds71sp1relnotes.html * Red Hat Certificate Server 7.1 SP1 will be available in early 2006 which contains a patch to correct this issue. Until the update is available, users can mitigate this issue by removing the help.cgi binary. * This flaw did not affect Fedora Directory Server. http://www.redhat.com/security/team/contact/ - ----------- NGSSoftware are going to withhold details of this flaw for three months. Full details will be published on the 05th January 2006. This three month window will allow users of Sun Directory Server the time needed to apply the patch before the details are released to the general public. This reflects NGSSoftware's approach to responsible disclosure. NGSSoftware Insight Security Research http://www.ngssoftware.com http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070