Peter Winter-Smith of NGSSoftware has discovered a high risk vulnerability
in Red Hat Directory Server and Red Hat Certificate Server. It is possible
that under certain circumstances these flaws could permit an unauthenticated
attacker to remotely compromise the Directory or Certificate server, in
other circumstances this flaw could facilitate local privilege escalation to
root.

Affected versions include:

Netscape Directory Server
Red Hat Directory Server (prior to 7.1 SP1)
Red Hat Certificate Server (prior to 7.1 SP1)

These issues have been resolved in the latest patch releases for Red Hat
Directory Server 7.1 (SP1) and for Red Hat Certificate Server 7.1 (SP1),
which may be downloaded from the Red Hat Network. Release notes may be
obtained at the following address:

https://www.redhat.com/docs/manuals/dir-server/release-
notes/ds71sp1relnotes.html

Red Hat have included a vendor statement which may be viewed below:

- ----------

Vendor statement: Red Hat, Inc:

This issue affected Red Hat Directory Server 7.1, Red Hat Certificate
System 7.1, and earlier Netscape releases of these products.

The flaw is a stack buffer overflow related to the Help buttons available
in the Admin pages of the Management Console.  A remote attacker who is
able to connect to the Management Console could send a carefully crafted
request to trigger this flaw.  Note that in general, access to the
Management Console would usually be prevented by firewall configuration.

Due to the nature of the affected code, this flaw is not able to lead to
remote arbitrary code execution on Unix platforms.  However, the flaw
could be used by a local attacker to gain elevated (root) privileges.

* Red Hat Directory Server 7.1 SP1, available via the Red Hat Network,
contains a patch to correct this issue.
https://www.redhat.com/docs/manuals/dir-server/release-
notes/ds71sp1relnotes.html

* Red Hat Certificate Server 7.1 SP1 will be available in early 2006 which
contains a patch to correct this issue.  Until the update is available,
users can mitigate this issue by removing the help.cgi binary.

* This flaw did not affect Fedora Directory Server.

http://www.redhat.com/security/team/contact/

- -----------

NGSSoftware are going to withhold details of this flaw for three months.
Full details will be published on the 05th January 2006. This three month
window will allow users of Sun Directory Server the time needed to apply the
patch before the details are released to the general public. This reflects
NGSSoftware's approach to responsible disclosure.

NGSSoftware Insight Security Research
http://www.ngssoftware.com
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070