Reported July 24, 2002, by Microsoft.

VERSION AFFECTED

 

  • Microsoft Metadirectory Services (MMS) 2.2

 

DESCRIPTION

 

A flaw exists that could enable an unprivileged user to access and manipulate data within MMS that should, by design, be accessible only to MMS administrators. Specifically, an unprivileged user could connect to the MMS data repository by using a Lightweight Directory Access Protocol (LDAP) client in such a way as to bypass certain security checks. As a result, an attacker could modify data within the MMS data repository, for the purpose of either changing the MMS configuration or replicating bogus data to the other data repositories.

 

VENDOR RESPONSE

 

The vendor, Microsoft, has released Security Bulletin MS02-036 (Authentication Flaw in Microsoft Metadirectory Services Could Allow Privilege Elevation) to address this vulnerability and recommends that affected users download and apply the Service Pack mentioned in the security bulletin.

 

CREDIT
Discovered by Dan Pascal Huijbers and Thomas de Klerk of Info Support