[389-users] LDAP allows null bases
Ludwig Krispenz
lkrispen at redhat.com
Wed Mar 11 14:31:52 UTC 2015
On 03/11/2015 03:04 PM, Rob Crittenden wrote:
> Ludwig Krispenz wrote:
>> Hi,
>>
>> in my opinion this is not a security issue, but a feature compliant to
>> the ldap rfcs. A server should expose a minimal set of information about
>> itself, eg supported controls, saslmechanisms, namingcontexts even to
>> anonymous users - and many applications rely on this.
>> If you really want to turn this off, you need to modify the aci for the
>> "dn:" entry
> He might also want to look at nsslapd-allow-anonymous-access to disable
> all anonymous access to the server. I agree that being able to read the
> rootDSE probably isn't a big deal.
In RFC 4513 it explicitely states:
LDAP servers SHOULD allow all clients --
even those with an anonymous authorization -- to retrieve the
'supportedSASLMechanisms' attribute of the root DSE both before and
after the SASL authentication exchange. The purpose of the latter is
to allow the client to detect possible downgrade attacks (see Section
6.4 and [RFC4422], Section 6.1.2).
>
> rob
>
>> Ludwig
>>
>> On 03/11/2015 11:23 AM, Kay Cee wrote:
>>> All clients connecting to our 389-ds server showed up this
>>> vulnerability on the scan. How do I fix this on my 389-ds server?
>>>
>>> LDAP allows null bases
>>>
>>> Risk:High
>>> Application:ldap
>>> Port:389
>>> Protocol:tcp
>>> ScriptID:10722
>>> Summary:
>>> It is possible to disclose LDAP information.
>>> Description :
>>> Improperly configured LDAP servers will allow the directory BASE to be
>>> set to NULL. This allows information to be culled without any prior
>>> knowledge of the directory structure. Coupled with a NULL BIND, an
>>> anonymous user can query your LDAP server using a tool such as
>>> 'LdapMiner'
>>>
>>> Solution:
>>> Disable NULL BASE queries on your LDAP server
>>> CVSS Base Score : 5.0
>>> Family name: Remote file access
>>> Category: infos
>>> Copyright: Copyright (C) 2000 John Lampe....j_lampe at bellsouth.net
>>> <mailto:Lampe....j_lampe at bellsouth.net>
>>> Summary: Check for LDAP null base
>>> Version: $Revision: 128 $
>>>
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
More information about the 389-users
mailing list