Vulnerability

    Shiva Access Manager

Affected

    Shiva Access Manager 5.0.0

Description

    Blaise  St.  Laurent  found  following.   In testing Intel's Shiva
    Access Manager RADIUS/Tacacs+ product, he recently came across  an
    important security hole  in the LDAP  connectivity on the  Solaris
    platform version of this product.

    When you configure the S.A.M. to store all of it's information  in
    an LDAP directory, it asks that you give it the root DN's name and
    password, which it then stores in plaintext in the file.

        $SHIVA_HOME_DIR/insnmgmt/shiva_access_manager/radtac.ini

    with the  rest of  the configuration,  (including LDAP  server and
    port) which  is by  default world  readable (owned  by root).   To
    get  this  information  constitutes  a  total  breach of your LDAP
    server.

Solution

    That being said,  there is a  possible workaround. Have  SAM use a
    non-root  DN  account  on  the  LDAP  server  that has just enough
    permissions to modify those  fields within the directory  that are
    needed.  You can forsee an account that can only change the  Shiva
    extensible  objects  within  the  user  profile.   This limits the
    ammount  of  damage  that  may  be  done, but doesn't aleviate the
    problem of having someone  with unauthorized write priveledges  in
    your directory.