CVE-2012-2668 : libraries/libldap/tls_m.c in OpenLDAP, possibly 2.4.31 and earlier, when using t

libraries/libldap/tls_m.c in OpenLDAP, possibly 2.4.31 and earlier, when using the Mozilla NSS backend, always uses the default cipher suite even when TLSCipherSuite is set, which might cause OpenLDAP to use weaker ciphers than intended and make it easier for remote attackers to obtain sensitive information.

Published 2012-06-17 03:41:41

Updated 2023-02-13 04:33:40

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2012-2668

Openldap » Openldap
Versions up to, including, (<=) 2.4.31
cpe:2.3:a:openldap:openldap:*:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.10
cpe:2.3:a:openldap:openldap:2.4.10:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.22
cpe:2.3:a:openldap:openldap:2.4.22:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.6
cpe:2.3:a:openldap:openldap:2.4.6:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.14
cpe:2.3:a:openldap:openldap:2.4.14:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.15
cpe:2.3:a:openldap:openldap:2.4.15:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.16
cpe:2.3:a:openldap:openldap:2.4.16:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.12
cpe:2.3:a:openldap:openldap:2.4.12:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.13
cpe:2.3:a:openldap:openldap:2.4.13:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.21
cpe:2.3:a:openldap:openldap:2.4.21:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.23
cpe:2.3:a:openldap:openldap:2.4.23:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.7
cpe:2.3:a:openldap:openldap:2.4.7:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.8
cpe:2.3:a:openldap:openldap:2.4.8:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.17
cpe:2.3:a:openldap:openldap:2.4.17:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.18
cpe:2.3:a:openldap:openldap:2.4.18:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.9
cpe:2.3:a:openldap:openldap:2.4.9:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.11
cpe:2.3:a:openldap:openldap:2.4.11:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.19
cpe:2.3:a:openldap:openldap:2.4.19:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.20
cpe:2.3:a:openldap:openldap:2.4.20:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.25
cpe:2.3:a:openldap:openldap:2.4.25:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.24
cpe:2.3:a:openldap:openldap:2.4.24:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.26
cpe:2.3:a:openldap:openldap:2.4.26:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.28
cpe:2.3:a:openldap:openldap:2.4.28:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.27
cpe:2.3:a:openldap:openldap:2.4.27:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.30
cpe:2.3:a:openldap:openldap:2.4.30:*:*:*:*:*:*:*
Matching versions
Openldap » Openldap » Version: 2.4.29
cpe:2.3:a:openldap:openldap:2.4.29:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2012-2668

Top countries where our scanners detected CVE-2012-2668

Top open port discovered on systems with this issue 389

IPs affected by CVE-2012-2668 838

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2012-2668!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2012-2668

EPSS FAQ

0.67%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 77 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2012-2668

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2012-2668

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-2668

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676309

#676309 - openldap: CVE-2012-2668 does not honor TLSCipherSuite settings - Debian Bug report logs
https://seclists.org/bugtraq/2019/Dec/23

Bugtraq: APPLE-SA-2019-12-10-3 macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra

CVEs referencing this url
http://seclists.org/fulldisclosure/2019/Dec/26

Full Disclosure: APPLE-SA-2019-12-10-3 macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra

CVEs referencing this url
http://security.gentoo.org/glsa/glsa-201406-36.xml

OpenLDAP: Multiple vulnerabilities (GLSA 201406-36) — Gentoo security

CVEs referencing this url
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git%3Ba=commitdiff%3Bh=2c2bb2e

Projects · Explore · GitLab
https://exchange.xforce.ibmcloud.com/vulnerabilities/76099

OpenLDAP NSS weak security CVE-2012-2668 Vulnerability Report
http://www.openwall.com/lists/oss-security/2012/06/06/2

oss-security - Re: CVE request: openldap does not honor TLSCipherSuite configuration option
http://rhn.redhat.com/errata/RHSA-2012-1151.html

RHSA-2012:1151 - Security Advisory - Red Hat Customer Portal
https://support.apple.com/kb/HT210788

About the security content of macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra - Apple Support

CVEs referencing this url
http://www.securityfocus.com/bid/53823

OpenLDAP Weak Cipher Encryption Security Weakness
https://bugzilla.redhat.com/show_bug.cgi?id=825875

825875 – (CVE-2012-2668) CVE-2012-2668 openldap: does not honor TLSCipherSuite settings
http://www.openwall.com/lists/oss-security/2012/06/05/4

oss-security - CVE request: openldap does not honor TLSCipherSuite configuration option
http://www.securitytracker.com/id?1027127

OpenLDAP May Ignore TLSCipherSuite Setting in Some Cases - SecurityTracker
http://www.openldap.org/its/index.cgi?findid=7285

OpenLDAP ITS - Message 7285
http://www.openwall.com/lists/oss-security/2012/06/06/1

oss-security - Re: CVE request: openldap does not honor TLSCipherSuite configuration option