Vulnerability Key Information CVE ID: CVE-2005-3269 CVSS Score: 7.5/10 Risk Level: High Impact Scope: - Local Impact: Yes - Remote Impact: Yes - Exploitability Subscore: 10/10 - Attack Complexity: Low - Authentication Required: None - Confidentiality Impact: Partial - Integrity Impact: Partial - Availability Impact: Partial - CWE ID: N/A Discoverer: Peter Winter-Smith of NGSSoftware Vulnerability Description: A high-risk vulnerability exists in Red Hat Directory Server and Red Hat Certificate Server. Under certain conditions, attackers may remotely compromise the Directory or Certificate server, or in other scenarios, escalate local privileges to root user. Affected Versions: - Netscape Directory Server - Red Hat Directory Server (versions prior to 7.1 SP1) - Red Hat Certificate Server (versions prior to 7.1 SP1) Patches and Fixes: - This issue was resolved in Red Hat Directory Server 7.1 SP1 and Red Hat Certificate Server 7.1 SP1. The patches are available for download via Red Hat Network. For release notes, please visit the provided link. - Red Hat has issued a vendor statement regarding this vulnerability. Details can be found on the specified page. Exploitation Scenario: This vulnerability is related to a stack buffer overflow in the Help button of the Management Console. Remote attackers can trigger the vulnerability by sending specially crafted requests. Typically, access to the Management Console is blocked by firewall configurations. However, on Unix systems, while this vulnerability does not lead to remote arbitrary code execution, it can be exploited to escalate privileges to root locally. Remediation and Mitigation Measures: - The vulnerability can be patched via Red Hat Network with Red Hat Directory Server 7.1 SP1. A patch for Red Hat Certificate Server 7.1 SP1 will be available in early 2006. As a temporary mitigation, the binary can be removed. Other Notes: - This vulnerability does not affect Fedora Directory Server. - NGSSoftware will publicly disclose detailed information about the vulnerability after January 5, 2006, to allow sufficient time for Sun Directory Server users to apply necessary fixes.