IBM preps patches for security flaw

IBM said it is working on developing and distributing fixes to a vulnerability detected in IBM Tivoli Directory Server 6.x that could leave the software exposed to denial-of-service attacks.

According to IBM, Tivoli Directory Server 6.x provides an LDAP identity infrastructure that can serve as the foundation for deploying identity management applications and Web services. The flaw, detected earlier this week, was deemed less critical by Secunia Research, which reported the vulnerability in a security advisory. The vulnerability has been discovered in Version 6 of the software and the Web site indicates other versions could be affected.

According to the Secunia security advisory, the vulnerability is caused due to an error within the LDAP server when handling certain requests, and “this can be exploited to crash the server via specially-crafted request sent to port 389/tcp.” The error can cause the server to crash due to a denial-of-service attack committed on the local network, but security experts say the threat is minimal considering the nature of the flaw.

“This flaw is not as critical as some because it can only be exploited on the local network and even if it is compromised, the error would only be able to crash the server, not expose the data or put information at risk,” says Steve Manzuik, security product manager with eEye Research. “Basically, someone on the local network could crash the machine running the software. It doesn’t allow for any kind of actual access to the machine or to the data.”

The Secunia Web site suggests until IBM readies patches that Tivoli Directory Server administrators restrict access to the LDAP service in the software and on the server. Because the flaw can only be exploited on the local network, Manzuik says the threat becomes even less critical, but still should be addressed.

“It’s definitely something you should patch, but not something to patch out of your normal patch process,” he explains. “IBM is fairly responsive to flaws. Patching this for customers just depends on how quickly IBM can get the patch out.”

Big Blue, which last year addressed a similar flaw with the directory software, reported it is working to develop and deliver fixes to the problem across the platforms it affects throughout February.

An IBM spokeswoman says IBM is working to address the issue and is completing the fix. Not all platforms are affected, such as AIX. Fixes are estimated to be complete in February and available to customers and business partners. IBM will document and post to external Web sites and will send customer and business partners notifications with more details about the issue and where to obtain the fix, she says.

There will also be ‘limited availability’ fixes available through product support. IBM says Tivoli Directory Server customers can get more information and suggested fixes here.