Adams Samuel D Contr AFRL/HEDR wrote: > I also have two medium vulnerabilities the keep popping up with ISS that > I need to resolve but can't seem to find the proper configuration in the > admin console. > > " LDAP NullBind: LDAP anonymous access to directory > > The NULL bind entry allows a user to access the Lightweight Directory > Access Protocol (LDAP) directory anonymously. An attacker could take > advantage of the NULL bind entry to anonymously view files on the LDAP > director. > Remedy: > Disable the NULL bind entry or control the entry with Access Control > Lists (ACLs). > References:" > > --and-- > > " LDAP Schema: LDAP schema information gathering > > An attacker could access the Lightweight Directory Access Protocol > (LDAP) schema to gain information about the LDAP server. The LDAP server > dumps its schema, which can show all necessary attributes needed for an > object, including hidden or non-readable attributes. An attacker could > use this information to access directory listings and plan further > attacks. > Remedy: > Disable the cn=schema entry or allow only authorized users to view the > entry. > References:" Those are not vulnerabilities, they are deliberate features in the LDAPv3 standard. Those two nessus/ISS tests, among other LDAP related tests, are born of senseless "rationale" which was contributed to nessus several years ago by a nessus mailing list member. Back then, the nessus engine creator was asking the nessus mailing list to submit any kind of test they could think of, so they could eventually brag about having 10k types of scans. There was no quality control involved, tests were just accepted at face value. And many of the explanations are not logical or rational if you really sit down and think about them. I think nessus and ISS trade or sell tests to/with each other, or something... Anyhow, one of their key marketing points is the number of included tests. It is up to a directory architect to consider the security ramifications of his or her design, not nessus or ISS. If you want to allow anon access to some portion of your directory, and lock down other portionss, then there is absolutely nothing wrong or insecure about that. Companies have public (anonymously accessible) portions of their website, don't they? Is that a vulnerability? As well, claiming that anonymous schema discovery is a vulnerability is just plain nonsense. Knowing the name of an attribute which is not anonymously readable doesn't help you in any way, shape, or form to plan an attack on an LDAP server. And the LDAP standard does not contain support for "hidden" attributes, unless you consider operational attributes which need to be explicitly requested. Operational attributes have well known names and are not easily extendable by directory architects. Sorry for the rant, but I'm particularly fed up with the self-proclaimed "security experts" spreading misinformation like this and trying to take over the networks with fud. BR, mike
