-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
Sendmail-SA-200607-01                                       Security Advisory
                                                               Sendmail, Inc.

Topic:          LDAP Empty Password Authentication

Class:          Privilege escalation
Severity:       Critical
Announced:      2006-07-24 09:00 PDT
Affects:        ECOSys Directory 3.x
                Mailcenter Quarantine 3.0
                Mailstream Commander 3.2
                Mailstream Gatekeeper 2.3
                Mailstream Governor 2.3
                Mailstream Guardian 3.2
                Mailstream Redundant/Null Switch/MTA 3.2
                Mailstream Switch/MTA 3.2
                Sendmail Advanced Message Server 2.2
                Sendmail Directory Services 3.x
                Sendmail Intelligent Inbox 2.3
                Sendmail Intelligent Quarantine 3.0
                Sendmail Mailcenter Organizer 2.5
                Sendmail Message Store for OEM 1.1
                Sentrion GP/GPX 1.5.3 and earlier
                Sentrion Gatekeeper 1.5.3 and earlier
                Sentrion Guardian 1.5.3 and earlier
                Sendmail Anti-Spam Solution 3.0
Resolved:       authd 2.0.3

For general information regarding Sendmail, Inc. Security Advisories,
including descriptions of the fields above, other security advisories,
and the following sections, please visit <http://www.sendmail.com/security/>.


I. Background

    Sendmail products that provide for end-user authentication using
    LDAP, e.g., Sendmail Switch's SMTP Authentication and SAMS' IMAP and
    POP authentication, use the authentication daemon, authd.

    The authd daemon verifies that the user has provided the proper
    password by performing an LDAP bind operation and using the success of
    that operation as the result.


II. Problem Description

    Certain LDAP servers have the ability to provide "unauthenticated"
    access by performing an LDAP bind operation using a username and an
    empty password.  Note that this unauthenticated bind is different than
    anonymous binding, in which no user information is sent.
    Unauthenticated binds allow any username to successfully authenticate
    using a null password, even if that username has a password assigned.

    Sendmail Messaging Directory and OpenLDAP can also be configured to
    enable unauthenticated binds but it is disabled by default.  Novell
    eDirectory Server 8.7.3.5, Microsoft Windows 2003 Active Directory, and
    Sun ONE Directory Server 5.2 have this functionality enabled by
    default.  LDAP servers distributed by other vendors may also enable
    this in the default configuration.


III. Impact

    Since authd uses the success of the LDAP bind as the result of an
    authentication attempt, users are able to login to any existing account
    using an empty password when authd talks to an LDAP server which is
    configured to allow unauthenticated binds.


IV. Workaround

    Disabling unauthenticated bind operations in the LDAP server fixes the
    issue, if the server has the option to do so.  For example, for Sendmail
    Messaging Directory and OpenLDAP servers, remove "allow bind_anon_dn"
    from the slapd.conf configuration file (note that this option is not in
    the default slapd.conf).  Links to instructions for some LDAP servers
    are found in the References section below.  For other LDAP servers,
    check the documentation or contact the vendor.

    Sentrion customers can work around this problem by simply using
    the LDAP proxy cache functionality included with Sentrion 1.5.

V. Solution

    Sendmail, Inc. has proactively released a patch for authd.  The patch
    turns off the ability to authenticate using an empty password.  In this
    way, attackers can not take advantage of unauthenticated binds.

    Sentrion customers can employ the workaround listed above to solve
    this issue.  A patch to fix the issue will be released shortly.

    The authd patch is available to supported customers on their download
    site at:

      https://www.sendmail.com/customerlogin/

    Unsupported customers can download the patches from:

      ftp://ftp.sendmail.com/unsupported/authd-patch-2.0.3-Linux.tar.gz
      ftp://ftp.sendmail.com/unsupported/authd-patch-2.0.3-SunOS.tar.Z

    Refer to the README included with each patch for installation
    instructions.  The available patches are:

    MD5 (authd-patch-2.0.3-Linux.tar.gz) = a4e239bcf2e8099e2246deb25059738e
    MD5 (authd-patch-2.0.3-SunOS.tar.Z) = 2f14bf975edbba165212b9bd08ee51c5


VI. References

      OpenLDAP Security Considerations
      --------------------------------
      http://www.openldap.org/doc/admin23/security.html

      Novell eDirectory ldapBindRestrictions
      --------------------------------------
      http://www.novell.com/documentation/edir88/index.html?page=/documentation/edir88/edir88/data/agq8auc.html#agq8auc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFE61BmEEMlGKD4qgwRAgFuAJ4sSWmu4Xb9EKR86kHBZBOXgjilkQCeIcUU
5e5lR4pHEoKOpUzyEW9it6M=
=bBXx
-----END PGP SIGNATURE-----