[Fedora-directory-users] TLS authentication

Mike Jackson mj at sci.fi
Tue Aug 8 19:47:13 UTC 2006 

Adams Samuel D Contr AFRL/HEDR wrote:

  > I also have two medium vulnerabilities the keep popping up with ISS that
> I need to resolve but can't seem to find the proper configuration in the
> admin console. 
> 
> " LDAP NullBind: LDAP anonymous access to directory
> 
> The NULL bind entry allows a user to access the Lightweight Directory
> Access Protocol (LDAP) directory anonymously. An attacker could take
> advantage of the NULL bind entry to anonymously view files on the LDAP
> director.
> Remedy:
> Disable the NULL bind entry or control the entry with Access Control
> Lists (ACLs).
> References:"
> 
> --and--
> 
> " LDAP Schema: LDAP schema information gathering
> 
> An attacker could access the Lightweight Directory Access Protocol
> (LDAP) schema to gain information about the LDAP server. The LDAP server
> dumps its schema, which can show all necessary attributes needed for an
> object, including hidden or non-readable attributes. An attacker could
> use this information to access directory listings and plan further
> attacks.
> Remedy:
> Disable the cn=schema entry or allow only authorized users to view the
> entry.
> References:"


Those are not vulnerabilities, they are deliberate features in the 
LDAPv3 standard.

  Those two nessus/ISS tests, among other LDAP related tests, are born 
of senseless "rationale" which was contributed to nessus several years 
ago by a nessus mailing list member. Back then, the nessus engine 
creator was asking the nessus mailing list to submit any kind of test 
they could think of, so they could eventually brag about having 10k 
types of scans. There was no quality control involved, tests were just 
accepted at face value. And many of the explanations are not logical or 
rational if you really sit down and think about them. I think nessus and 
ISS trade or sell tests to/with each other, or something... Anyhow, one 
of their key marketing points is the number of included tests.

  It is up to a directory architect to consider the security 
ramifications of his or her design, not nessus or ISS. If you want to 
allow anon access to some portion of your directory, and lock down other 
portionss, then there is absolutely nothing wrong or insecure about 
that. Companies have public (anonymously accessible) portions of their 
website, don't they? Is that a vulnerability?

  As well, claiming that anonymous schema discovery is a vulnerability 
is just plain nonsense. Knowing the name of an attribute which is not 
anonymously readable doesn't help you in any way, shape, or form to plan 
an attack on an LDAP server. And the LDAP standard does not contain 
support for "hidden" attributes, unless you consider operational 
attributes which need to be explicitly requested. Operational attributes 
have well known names and are not easily extendable by directory architects.

  Sorry for the rant, but I'm particularly fed up with the 
self-proclaimed "security experts" spreading misinformation like this 
and trying to take over the networks with fud.


BR,
mike

More information about the 389-users mailing list