Skip to main content

Insecure authentication method - LDAP

Description

The use of LDAP software in its current state is not suitable as an authentication service. LDAP is an active directory, this means that it (the LDAP server) is constantly being inundated with new queries. An authentication service should never have more traffic than necessary. Passwords can be sent over networks in plain-text. Although v3 of the protocol allows TLS sessions, the use of such security has not fully carried over due to historic security policies using the obsolete SSL-session method, which can be easily compromised by SSL certificate spoofing.

Impact

DoS attack exploiting the TCP three-way handshake required when initializing a connection to an LDAP server.

Recommendation

  • LDAP had to incorporate the use of SSL to provide encryption of traffic containing plain-text passwords.
  • Bind all blind authentication connections to a second physical LDAP server that is a clone of the directory tree for the scope of a blind authentication.
  • If allowing connections from the Internet, only allow blind authentication.

Threat

Unauthorized attacker from intranet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: L

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:X
  • Score:
    • Base: 5.6
    • Temporal: 5.1
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The LDAP server is securely configure to use SSL encryption on sensitive traffic

DirectoryEntry de = new DirectoryEntry();
de.Path = "LDAP://myserver/OU=People,O=mycompany";
de.AuthenticationType = AuthenticationTypes.Blind;

Non compliant code

The LDAP server does not include SSL encryption for sensitive traffic

DirectoryEntry de = new DirectoryEntry();
de.Path = "LDAP://myserver/OU=People,O=mycompany";
de.AuthenticationType = AuthenticationTypes.None;

Requirements