Authentication Vulnerability in Microsoft Metadirectory Services 2.2

A flaw exists that could enable an unprivileged user to access and manipulate data within MMS that should, by design, be accessible only to MMS administrators.

Ken Pfeil

July 25, 2002

2 Min Read
ITPro Today logo in a gray background | ITPro Today

Reported July 24, 2002, byMicrosoft.

VERSION AFFECTED

 

  • Microsoft Metadirectory Services (MMS) 2.2

 

DESCRIPTION

 

Aflaw exists that could enable an unprivileged user to access and manipulate datawithin MMS that should, by design, be accessible only to MMS administrators.Specifically, an unprivileged user could connect to the MMS data repository byusing a Lightweight Directory Access Protocol (LDAP) client in such a way as tobypass certain security checks. As a result, an attacker could modify datawithin the MMS data repository, for the purpose of either changing the MMSconfiguration or replicating bogus data to the other data repositories.

 

VENDOR RESPONSE

 

Thevendor, Microsoft, has released SecurityBulletin MS02-036(Authentication Flaw in Microsoft Metadirectory Services Could Allow PrivilegeElevation) to address this vulnerability and recommends that affected usersdownload and apply the ServicePack mentioned in the security bulletin.

 

CREDIT
Discoveredby Dan Pascal Huijbers and Thomas de Klerk of InfoSupport

Read more about:

Microsoft
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like