[Fedora-directory-users] TLS authentication

Adams Samuel D Contr AFRL/HEDR Samuel.Adams at BROOKS.AF.MIL
Tue Aug 8 20:16:58 UTC 2006 

Haha, I know exactly what you mean!  My workplace is full of "security
experts" that don't even know what ICMP is.  I could send you some
results of some serious "ping vulnerabilities" so we all could get a
good laugh, but I digress.  Knowing how to run an ISS or Nessus scan
does not necessarily make you a security expert. 

Anyway, should I worry about clients using the LDAP to authenticate
without TLS?  Do I need to set my directory server such that users can
only authenticate only if they have TLS enabled?  

Sam Adams
General Dynamics - Information Technology
Phone: 210.536.5945

-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Mike
Jackson
Sent: Tuesday, August 08, 2006 2:47 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] TLS authentication

Adams Samuel D Contr AFRL/HEDR wrote:

  > I also have two medium vulnerabilities the keep popping up with ISS
that
> I need to resolve but can't seem to find the proper configuration in
the
> admin console. 
> 
> " LDAP NullBind: LDAP anonymous access to directory
> 
> The NULL bind entry allows a user to access the Lightweight Directory
> Access Protocol (LDAP) directory anonymously. An attacker could take
> advantage of the NULL bind entry to anonymously view files on the LDAP
> director.
> Remedy:
> Disable the NULL bind entry or control the entry with Access Control
> Lists (ACLs).
> References:"
> 
> --and--
> 
> " LDAP Schema: LDAP schema information gathering
> 
> An attacker could access the Lightweight Directory Access Protocol
> (LDAP) schema to gain information about the LDAP server. The LDAP
server
> dumps its schema, which can show all necessary attributes needed for
an
> object, including hidden or non-readable attributes. An attacker could
> use this information to access directory listings and plan further
> attacks.
> Remedy:
> Disable the cn=schema entry or allow only authorized users to view the
> entry.
> References:"


Those are not vulnerabilities, they are deliberate features in the 
LDAPv3 standard.

  Those two nessus/ISS tests, among other LDAP related tests, are born 
of senseless "rationale" which was contributed to nessus several years 
ago by a nessus mailing list member. Back then, the nessus engine 
creator was asking the nessus mailing list to submit any kind of test 
they could think of, so they could eventually brag about having 10k 
types of scans. There was no quality control involved, tests were just 
accepted at face value. And many of the explanations are not logical or 
rational if you really sit down and think about them. I think nessus and

ISS trade or sell tests to/with each other, or something... Anyhow, one 
of their key marketing points is the number of included tests.

  It is up to a directory architect to consider the security 
ramifications of his or her design, not nessus or ISS. If you want to 
allow anon access to some portion of your directory, and lock down other

portionss, then there is absolutely nothing wrong or insecure about 
that. Companies have public (anonymously accessible) portions of their 
website, don't they? Is that a vulnerability?

  As well, claiming that anonymous schema discovery is a vulnerability 
is just plain nonsense. Knowing the name of an attribute which is not 
anonymously readable doesn't help you in any way, shape, or form to plan

an attack on an LDAP server. And the LDAP standard does not contain 
support for "hidden" attributes, unless you consider operational 
attributes which need to be explicitly requested. Operational attributes

have well known names and are not easily extendable by directory
architects.

  Sorry for the rant, but I'm particularly fed up with the 
self-proclaimed "security experts" spreading misinformation like this 
and trying to take over the networks with fud.


BR,
mike

--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

More information about the Fedora-directory-users mailing list