Vulnerability Description
NixOS 17.03 and earlier has an unintended default absence of SSL Certificate Validation for LDAP. The users.ldap NixOS module implements user authentication against LDAP servers via a PAM module. It was found that if TLS is enabled to connect to the LDAP server with users.ldap.useTLS, peer verification will be unconditionally disabled in /etc/ldap.conf.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nixos Project | Nixos | <= 17.03 |
Related Weaknesses (CWE)
References
- http://openwall.com/lists/oss-security/2017/07/20/1Mailing ListMitigationPatch
- https://github.com/NixOS/nixpkgs/issues/27506Issue TrackingThird Party Advisory
- https://groups.google.com/forum/#%21topic/nix-security-announce/qrDU0KH_ZRk
- http://openwall.com/lists/oss-security/2017/07/20/1Mailing ListMitigationPatch
- https://github.com/NixOS/nixpkgs/issues/27506Issue TrackingThird Party Advisory
- https://groups.google.com/forum/#%21topic/nix-security-announce/qrDU0KH_ZRk
FAQ
What is CVE-2017-11501?
CVE-2017-11501 is a vulnerability with a CVSS score of 5.9 (MEDIUM). NixOS 17.03 and earlier has an unintended default absence of SSL Certificate Validation for LDAP. The users.ldap NixOS module implements user authentication against LDAP servers via a PAM module. It w...
How severe is CVE-2017-11501?
CVE-2017-11501 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-11501?
Check the references section above for vendor advisories and patch information. Affected products include: Nixos Project Nixos.