An indicated vulnerability by IDS must be followed up by a verification and if you can not find the vulnerable software on any of the devices involved in the alarm then the indication is a false positive! If no OpenLdap nor any OpenLdap clone is there then this should be just fine, if in doubt contact the vendor for verification of vendor specific software that might be related to OpenLdap. /Hasain

We have ESX 4.0 hosts for our VMWare infrastructure, and we also have numerous Red Hat servers throughout the company. However, the CVE-2010-0211 seems to indicate that the problem STARTS with the OpenLDAP software, unless I'm reading it incorrectly. Let me know if the following is true or not: 1. Server X does not have OpenLDAP installed on it. This means that server X is not vulnerable. This also means that ESX server Y is also not vulnerable to this threat? (assuming that ESX server Y does not have OpenLDAP installed either of course). Am I wrong in this assumption? 2. A Domain Controller is not vulnerable, even if another domain-joined computer has OpenLDAP running, because the problem only occurs if the server (DC in this case) is running OpenLDAP itself. Thanks for any further information.

An indicated vulnerability by IDS must be followed up by a verification and if you can not find the vulnerable software on any of the devices involved in the alarm then the indication is a false positive! If no OpenLdap nor any OpenLdap clone is there then this should be just fine, if in doubt contact the vendor for verification of vendor specific software that might be related to OpenLdap. /Hasain

I have been contacted by my companys security team with reference to a potential vulnerability they found, but it doesn't make any sense to me. The vulnerability is referenced by: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0211 We do not have OpenLDAP running on our DCs, as we use the built in LDAP contained within AD. We don't have it installed on the DCs at all. Our IDS is detecting that traffic is being generated to one of my DCs that meets the "OpenLDAP Modrdn RDN UTF-8 String Code Execution" parameters. How could this be when we don't have the software installed?

Hello, this belongs more to the Security forum, then Directory services: http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hello, I would recommend contacting your IDS developer Technical Support for assistance. Maybe this is a false positive warning and in this case you can ignore it. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

I have been contacted by my companys security team with reference to a potential vulnerability they found, but it doesn't make any sense to me. The vulnerability is referenced by: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0211 We do not have OpenLDAP running on our DCs, as we use the built in LDAP contained within AD. We don't have it installed on the DCs at all. Our IDS is detecting that traffic is being generated to one of my DCs that meets the "OpenLDAP Modrdn RDN UTF-8 String Code Execution" parameters. How could this be when we don't have the software installed?

Thank you for pointing me to the correct forum. I have asked the question there. It certainly appears to be a false positive, but I would like to make sure and also understand how such a false positive could have been generated in the first place.

This is a typical false positive, the IDS is simply detecting that UTF8 is used and an alarm is generated. /Hasain

Hi, It might be False alarm.This Vulnerability (CVE-2010-0211 ) is especially for the ESX 4.0/above, red hat servers and RHEL Desktop Workstation 5. and pls check do u any hosted products VMware Workstation, Player, ACE, Fusion running in ur windows environment. Would recommend you,ask ur Sec Team to do VA on ur DC and web server to check for any issues. Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.

Agree with Hasain. and also please check the thread that u posted in :http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/639af8c9-e16b-4f95-90d4-7ebf7b8909caGopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.