The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of OpenLDAP: TLSCipherSuite ignored with NSS

Synthesis of the vulnerability 

When OpenLDAP uses NSS to manage SSL sessions, the TLSCipherSuite configuration directive is ignored, so an attacker can attack a weak encryption algorithm.
Impacted software: Mac OS X, Fedora, OpenLDAP, RHEL.
Severity of this computer vulnerability: 1/4.
Creation date: 06/06/2012.
Références of this announce: 7285, 825875, BID-53823, CVE-2012-2668, FEDORA-2012-10000, FEDORA-2012-10023, HT210788, RHSA-2012:1151-01, VIGILANCE-VUL-11680.

Description of the vulnerability 

The OpenLDAP service can use SSL/TLS sessions, when it is compiled with a cryptographic library, such as NSS or GnuTLS.

The TLSCipherSuite configuration directive of OpenLDAP indicates the list of allowed encryption algorithms.

The tlsm_deferred_ctx_init() function of file libraries/libldap/tls_m.c calls tlsm_parse_ciphers() to manage the list of encryption algorithms negotiated for NSS. However, the error code of this function is processed as inverted. Default algorithms are thus allowed.

When OpenLDAP uses NSS to manage SSL sessions, the TLSCipherSuite configuration directive is therefore ignored, so an attacker can attack a weak encryption algorithm.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity vulnerability impacts software or systems such as Mac OS X, Fedora, OpenLDAP, RHEL.

Our Vigil@nce team determined that the severity of this vulnerability is low.

The trust level is of type confirmed by the editor, with an origin of intranet client.

An attacker with a expert ability can exploit this weakness alert.

Solutions for this threat 

OpenLDAP: patch for TLSCipherSuite.
A patch is available in information sources.

Apple macOS: version 10.13.6-2019-007.
The version 10.13.6-2019-007 is fixed:
  https://support.apple.com/

Apple macOS: version 10.14.6-2019-002.
The version 10.14.6-2019-002 is fixed:
  https://support.apple.com/

Apple macOS: version 10.15.2.
The version 10.15.2 is fixed:
  https://support.apple.com/

Fedora: new openldap packages.
New packages are available:
  openldap-2.4.26-8.fc16
  openldap-2.4.31-3.fc17

RHEL 6.3: new openldap packages.
New packages are available:
  openldap-2.4.23-26.el6_3.2
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides networks vulnerabilities alerts. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.