All clients connecting to our 389-ds server showed up this vulnerability on the scan. How do I fix this on my 389-ds server?
LDAP allows null bases
Risk:High Application:ldap Port:389 Protocol:tcp ScriptID:10722 Summary: It is possible to disclose LDAP information. Description : Improperly configured LDAP servers will allow the directory BASE to be set to NULL. This allows information to be culled without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user can query your LDAP server using a tool such as 'LdapMiner'
Solution: Disable NULL BASE queries on your LDAP server CVSS Base Score : 5.0 Family name: Remote file access Category: infos Copyright: Copyright (C) 2000 John Lampe....j_lampe@bellsouth.net Summary: Check for LDAP null base Version: $Revision: 128 $
Hi,
in my opinion this is not a security issue, but a feature compliant to the ldap rfcs. A server should expose a minimal set of information about itself, eg supported controls, saslmechanisms, namingcontexts even to anonymous users - and many applications rely on this. If you really want to turn this off, you need to modify the aci for the "dn:" entry
Ludwig
On 03/11/2015 11:23 AM, Kay Cee wrote:
All clients connecting to our 389-ds server showed up this vulnerability on the scan. How do I fix this on my 389-ds server?
LDAP allows null bases
Risk:High Application:ldap Port:389 Protocol:tcp ScriptID:10722 Summary: It is possible to disclose LDAP information. Description : Improperly configured LDAP servers will allow the directory BASE to be set to NULL. This allows information to be culled without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user can query your LDAP server using a tool such as 'LdapMiner'
Solution: Disable NULL BASE queries on your LDAP server CVSS Base Score : 5.0 Family name: Remote file access Category: infos Copyright: Copyright (C) 2000 John Lampe....j_lampe@bellsouth.net mailto:Lampe....j_lampe@bellsouth.net Summary: Check for LDAP null base Version: $Revision: 128 $
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Ludwig Krispenz wrote:
Hi,
in my opinion this is not a security issue, but a feature compliant to the ldap rfcs. A server should expose a minimal set of information about itself, eg supported controls, saslmechanisms, namingcontexts even to anonymous users - and many applications rely on this. If you really want to turn this off, you need to modify the aci for the "dn:" entry
He might also want to look at nsslapd-allow-anonymous-access to disable all anonymous access to the server. I agree that being able to read the rootDSE probably isn't a big deal.
rob
Ludwig
On 03/11/2015 11:23 AM, Kay Cee wrote:
All clients connecting to our 389-ds server showed up this vulnerability on the scan. How do I fix this on my 389-ds server?
LDAP allows null bases
Risk:High Application:ldap Port:389 Protocol:tcp ScriptID:10722 Summary: It is possible to disclose LDAP information. Description : Improperly configured LDAP servers will allow the directory BASE to be set to NULL. This allows information to be culled without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user can query your LDAP server using a tool such as 'LdapMiner'
Solution: Disable NULL BASE queries on your LDAP server CVSS Base Score : 5.0 Family name: Remote file access Category: infos Copyright: Copyright (C) 2000 John Lampe....j_lampe@bellsouth.net mailto:Lampe....j_lampe@bellsouth.net Summary: Check for LDAP null base Version: $Revision: 128 $
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 03/11/2015 03:04 PM, Rob Crittenden wrote:
Ludwig Krispenz wrote:
Hi,
in my opinion this is not a security issue, but a feature compliant to the ldap rfcs. A server should expose a minimal set of information about itself, eg supported controls, saslmechanisms, namingcontexts even to anonymous users - and many applications rely on this. If you really want to turn this off, you need to modify the aci for the "dn:" entry
He might also want to look at nsslapd-allow-anonymous-access to disable all anonymous access to the server. I agree that being able to read the rootDSE probably isn't a big deal.
In RFC 4513 it explicitely states:
LDAP servers SHOULD allow all clients -- even those with an anonymous authorization -- to retrieve the 'supportedSASLMechanisms' attribute of the root DSE both before and after the SASL authentication exchange. The purpose of the latter is to allow the client to detect possible downgrade attacks (see Section 6.4 and [RFC4422], Section 6.1.2).
rob
Ludwig
On 03/11/2015 11:23 AM, Kay Cee wrote:
All clients connecting to our 389-ds server showed up this vulnerability on the scan. How do I fix this on my 389-ds server?
LDAP allows null bases
Risk:High Application:ldap Port:389 Protocol:tcp ScriptID:10722 Summary: It is possible to disclose LDAP information. Description : Improperly configured LDAP servers will allow the directory BASE to be set to NULL. This allows information to be culled without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user can query your LDAP server using a tool such as 'LdapMiner'
Solution: Disable NULL BASE queries on your LDAP server CVSS Base Score : 5.0 Family name: Remote file access Category: infos Copyright: Copyright (C) 2000 John Lampe....j_lampe@bellsouth.net mailto:Lampe....j_lampe@bellsouth.net Summary: Check for LDAP null base Version: $Revision: 128 $
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org