Re: LDAP allows null bases

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 03/11/2015 03:04 PM, Rob Crittenden wrote:

Ludwig Krispenz wrote:

Hi,

in my opinion this is not a security issue, but a feature compliant to
the ldap rfcs. A server should expose a minimal set of information about
itself, eg supported controls, saslmechanisms, namingcontexts even to
anonymous users - and many applications rely on this.
If you really want to turn this off, you need to modify the aci for the
"dn:" entry

He might also want to look at nsslapd-allow-anonymous-access to disable
all anonymous access to the server. I agree that being able to read the
rootDSE probably isn't a big deal.

In RFC 4513 it explicitely states:

LDAP servers SHOULD allow all clients --
   even those with an anonymous authorization -- to retrieve the
   'supportedSASLMechanisms' attribute of the root DSE both before and
   after the SASL authentication exchange.  The purpose of the latter is
   to allow the client to detect possible downgrade attacks (see Section
   6.4 and [RFC4422], Section 6.1.2).




rob


Ludwig

On 03/11/2015 11:23 AM, Kay Cee wrote:

All clients connecting to our 389-ds server showed up this
vulnerability on the scan. How do I fix this on my 389-ds server?

LDAP allows null bases

Risk:High
Application:ldap
Port:389
Protocol:tcp
ScriptID:10722
Summary:
It is possible to disclose LDAP information.
Description :
Improperly configured LDAP servers will allow the directory BASE to be
set to NULL. This allows information to be culled without any prior
knowledge of the directory structure. Coupled with a NULL BIND, an
anonymous user can query your LDAP server using a tool such as
'LdapMiner'

Solution:
Disable NULL BASE queries on your LDAP server
CVSS Base Score : 5.0
Family name: Remote file access
Category: infos
Copyright: Copyright (C) 2000 John Lampe....j_lampe@xxxxxxxxxxxxx
<mailto:Lampe....j_lampe@xxxxxxxxxxxxx>
Summary: Check for LDAP null base
Version: $Revision: 128 $



--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux