TLS authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Adams Samuel D Contr AFRL/HEDR wrote:

  > I also have two medium vulnerabilities the keep popping up with ISS that
> I need to resolve but can't seem to find the proper configuration in the
> admin console. 
> 
> " LDAP NullBind: LDAP anonymous access to directory
> 
> The NULL bind entry allows a user to access the Lightweight Directory
> Access Protocol (LDAP) directory anonymously. An attacker could take
> advantage of the NULL bind entry to anonymously view files on the LDAP
> director.
> Remedy:
> Disable the NULL bind entry or control the entry with Access Control
> Lists (ACLs).
> References:"
> 
> --and--
> 
> " LDAP Schema: LDAP schema information gathering
> 
> An attacker could access the Lightweight Directory Access Protocol
> (LDAP) schema to gain information about the LDAP server. The LDAP server
> dumps its schema, which can show all necessary attributes needed for an
> object, including hidden or non-readable attributes. An attacker could
> use this information to access directory listings and plan further
> attacks.
> Remedy:
> Disable the cn=schema entry or allow only authorized users to view the
> entry.
> References:"


Those are not vulnerabilities, they are deliberate features in the 
LDAPv3 standard.

  Those two nessus/ISS tests, among other LDAP related tests, are born 
of senseless "rationale" which was contributed to nessus several years 
ago by a nessus mailing list member. Back then, the nessus engine 
creator was asking the nessus mailing list to submit any kind of test 
they could think of, so they could eventually brag about having 10k 
types of scans. There was no quality control involved, tests were just 
accepted at face value. And many of the explanations are not logical or 
rational if you really sit down and think about them. I think nessus and 
ISS trade or sell tests to/with each other, or something... Anyhow, one 
of their key marketing points is the number of included tests.

  It is up to a directory architect to consider the security 
ramifications of his or her design, not nessus or ISS. If you want to 
allow anon access to some portion of your directory, and lock down other 
portionss, then there is absolutely nothing wrong or insecure about 
that. Companies have public (anonymously accessible) portions of their 
website, don't they? Is that a vulnerability?

  As well, claiming that anonymous schema discovery is a vulnerability 
is just plain nonsense. Knowing the name of an attribute which is not 
anonymously readable doesn't help you in any way, shape, or form to plan 
an attack on an LDAP server. And the LDAP standard does not contain 
support for "hidden" attributes, unless you consider operational 
attributes which need to be explicitly requested. Operational attributes 
have well known names and are not easily extendable by directory architects.

  Sorry for the rant, but I'm particularly fed up with the 
self-proclaimed "security experts" spreading misinformation like this 
and trying to take over the networks with fud.


BR,
mike




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux