CVE-2006-5170 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2006-5170?

CVE-2006-5170 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2006-5170?

Check the references section above for vendor advisories and patch information. Affected products include: Fedoraproject Fedora Core, Redhat Enterprise Linux, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux For Ibm Z Systems, Redhat Enterprise Linux For Power Big Endian.

Vulnerability Description

pam_ldap in nss_ldap on Red Hat Enterprise Linux 4, Fedora Core 3 and earlier, and possibly other distributions does not return an error condition when an LDAP directory server responds with a PasswordPolicyResponse control response, which causes the pam_authenticate function to return a success code even if authentication has failed, as originally reported for xscreensaver.

CVSS Score

7.5

HIGH

AV:N/AC:L/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Fedoraproject	Fedora Core	<= core_3.0
Redhat	Enterprise Linux	4.0
Redhat	Enterprise Linux Desktop	4.0
Redhat	Enterprise Linux For Ibm Z Systems	4.0_s390
Redhat	Enterprise Linux For Power Big Endian	4.0
Redhat	Enterprise Linux Server	4.0
Redhat	Enterprise Linux Workstation	4.0
Debian	Debian Linux	3.1

Related Weaknesses (CWE)

CWE-755

References

http://bugzilla.padl.com/show_bug.cgi?id=291Broken LinkIssue TrackingVendor Advisory
http://rhn.redhat.com/errata/RHSA-2006-0719.htmlVendor Advisory
http://secunia.com/advisories/22682Third Party Advisory
http://secunia.com/advisories/22685Third Party Advisory
http://secunia.com/advisories/22694Third Party Advisory
http://secunia.com/advisories/22696Third Party Advisory
http://secunia.com/advisories/22869Third Party Advisory
http://secunia.com/advisories/23132Third Party Advisory
http://secunia.com/advisories/23428Third Party Advisory
http://security.gentoo.org/glsa/glsa-200612-19.xmlVendor Advisory
http://securitytracker.com/id?1017153Third Party AdvisoryVDB Entry
http://www.debian.org/security/2006/dsa-1203Issue TrackingPatchVendor Advisory
http://www.mandriva.com/security/advisories?name=MDKSA-2006:201Third Party Advisory
http://www.novell.com/linux/security/advisories/2006_27_sr.htmlBroken LinkVendor Advisory
http://www.securityfocus.com/archive/1/447859/100/200/threadedThird Party AdvisoryVDB Entry

FAQ

What is CVE-2006-5170?

CVE-2006-5170 is a vulnerability with a CVSS score of 7.5 (HIGH). pam_ldap in nss_ldap on Red Hat Enterprise Linux 4, Fedora Core 3 and earlier, and possibly other distributions does not return an error condition when an LDAP directory server responds with a Passwor...

How severe is CVE-2006-5170?

CVE-2006-5170 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2006-5170?

Check the references section above for vendor advisories and patch information. Affected products include: Fedoraproject Fedora Core, Redhat Enterprise Linux, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux For Ibm Z Systems, Redhat Enterprise Linux For Power Big Endian.