Adams Samuel D Contr AFRL/HEDR wrote:
> I also have two medium vulnerabilities the keep popping up with ISS that
I need to resolve but can't seem to find the proper configuration in the
admin console.
" LDAP NullBind: LDAP anonymous access to directory
The NULL bind entry allows a user to access the Lightweight Directory
Access Protocol (LDAP) directory anonymously. An attacker could take
advantage of the NULL bind entry to anonymously view files on the LDAP
director.
Remedy:
Disable the NULL bind entry or control the entry with Access Control
Lists (ACLs).
References:"
--and--
" LDAP Schema: LDAP schema information gathering
An attacker could access the Lightweight Directory Access Protocol
(LDAP) schema to gain information about the LDAP server. The LDAP server
dumps its schema, which can show all necessary attributes needed for an
object, including hidden or non-readable attributes. An attacker could
use this information to access directory listings and plan further
attacks.
Remedy:
Disable the cn=schema entry or allow only authorized users to view the
entry.
References:"
Those are not vulnerabilities, they are deliberate features in the
LDAPv3 standard.
Those two nessus/ISS tests, among other LDAP related tests, are born
of senseless "rationale" which was contributed to nessus several years
ago by a nessus mailing list member. Back then, the nessus engine
creator was asking the nessus mailing list to submit any kind of test
they could think of, so they could eventually brag about having 10k
types of scans. There was no quality control involved, tests were just
accepted at face value. And many of the explanations are not logical or
rational if you really sit down and think about them. I think nessus and
ISS trade or sell tests to/with each other, or something... Anyhow, one
of their key marketing points is the number of included tests.
It is up to a directory architect to consider the security
ramifications of his or her design, not nessus or ISS. If you want to
allow anon access to some portion of your directory, and lock down other
portionss, then there is absolutely nothing wrong or insecure about
that. Companies have public (anonymously accessible) portions of their
website, don't they? Is that a vulnerability?
As well, claiming that anonymous schema discovery is a vulnerability
is just plain nonsense. Knowing the name of an attribute which is not
anonymously readable doesn't help you in any way, shape, or form to plan
an attack on an LDAP server. And the LDAP standard does not contain
support for "hidden" attributes, unless you consider operational
attributes which need to be explicitly requested. Operational attributes
have well known names and are not easily extendable by directory architects.
Sorry for the rant, but I'm particularly fed up with the
self-proclaimed "security experts" spreading misinformation like this
and trying to take over the networks with fud.
BR,
mike
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
