Product Support

Vulnerability Report - Flaws in NTSI LDAP Authentication

 
Unisys ID: UIS-2021-6
Status: Published
CVE-ID: CVE-2021-43394
Affected Product: Messaging Integration Services (NTSI)
Affected Version: 7R3B IC3, 7R3B IC4, 7R3C, 7R3D
Impact: CRITICAL
CVSS v3.1 Base Score: 9.8
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  v3 Calculator
CVSS v2.0 Base Score: 7.5
CVSS v2.0 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P  v2 Calculator
Common Weakness Enumeration (CWE):  CWE-303
Common Platform Enumeration (CPE):  cpe:2.3:a:unisys:messaging_integration_services_:*:*:*:*:*:*:*:*
Source: Client Reported
Keyword(s): LDAP,NTSI,OS 2200,Authentication,ASIS,AM12
Vulnerability Description:
LDAP authentication as provided by OS 2200 Messaging Integration Services (NTSI) does not properly validate the user supplied password.
System Configuration:
An OS 2200 Server configured for LDAP authentication through Messaging Integration Services (NTSI).
Impact of Exploiting Vulnerability:
A person attempting to sign-on can gain access when they shouldn't.
Remediation Description:
Upgrade to the appropriate IC: 7R3B IC5, 7R3C IC1, or 7R3D IC1
Workaround Information:
Disable LDAP authentication as provided by Messaging Integration Services (NTSI) and utilize an alternate method of authentication.
References:
PLE 19319989
Additional Vendor Comment:
 
 
 

Disclaimer:

Unisys Corporation provides the information in this Security Vulnerability Report “AS IS.” No warranties of any nature are extended by or for the information. Unisys disclaims any financial or other responsibility that may result from your use of the information, including direct, indirect, special, or consequential damages.


Paper copies are not controlled and may be out of date; reference the Product Support Web site for current data.