Skip to main content

[CVE-2014-7807] Apache CloudStack unauthenticated LDAP binds

CVE-2014-7807: Apache CloudStack unauthenticated LDAP binds

7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P

The Apache Software Foundation
Citrix, Inc.

Versions Afffected:
Apache CloudStack 4.3, 4.4

Apache CloudStack may be configured to authenticate LDAP users. When so configured, it performs a simple LDAP bind with the name and password provided by a user. Simple LDAP binds are defined with three mechanisms (RFC 4513): 1) username and password; 2) unauthenticated if only a username is specified; and 3) anonymous if neither username or password is specified. Currently, Apache CloudStack does not check if the password was provided which could allow an attacker to bind as an unauthenticated user.

Users of Apache CloudStack 4.4 and derivatives should update to the latest version (4.4.2)

An updated release for Apache CloudStack 4.3.2 is in testing. Until that is released, we recommend following the mitigation below:

By default, many LDAP servers are not configured to allow unauthenticated binds. If the LDAP server in use allow this behaviour, a potential interim solution would be to consider disabling unauthenticated binds.

This issue was identified by the Citrix Security Team.