LDAP allows null bases and LDAPv3 Servers

I’d like to request a review of rule id (1.3.6.1.4.1.25623.1.0.10722) as it pertains to LDAPv3 servers.

Our security assessor is requiring us to disable null base queries because of this rule. We have a Windows Server 2019 AD server that OpenVAS detected as operating an LDAPv3 server. I have requested that our assessor directly open a support ticket but they do not seem willing.

The rule description for “LDAP allows null bases” is:

Improperly configured LDAP servers will allow the directory BASE
to be set to NULL. This allows information to be culled without
any prior knowledge of the directory structure. Coupled with a
NULL BIND, an anonymous user can query your LDAP server using a
tool such as ‘LdapMiner’"

I have reviewed RFC 4512 (RFC 4512 - Lightweight Directory Access Protocol (LDAP): Directory Information Models), which I believe requires that LDAPv3 respond to queries with Null bases and thus LDAPv3 servers are not improperly configured

An LDAP server SHALL provide information about itself and other information that is specific to each server. This is represented as a group of attributes located in the root DSE, which is named with the DN with zero RDNs (whose representation is as the zero-length string).

These attributes are retrievable, subject to access control and other restrictions, if a client performs a Search operation with an empty baseObject, scope of baseObject, the filter “(objectClass=*)”, and the attributes field listing the names of the desired attributes.

“LDAP allows null bases” is very similar to “Use LDAP search request to retrieve information from NT Directory Services” (1.3.6.1.4.1.25623.1.0.12105) whose description states "it is possible to disclose LDAP information as the directory base of the remote server is set to NULL. " This rule has a line of code that checks if the ldap server is v3 and exits.

if( is_ldapv3( port:port ) )
  exit( 0 );

Thank you.

Hi and thanks for your report.

It seems that https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/message/XE3C6DO7LQE2V4I4IJ55N6222TCTRI7Q/ also confirms your observations.

The mentioned VT has been updated to not report a vulnerability against LDAP servers supporting LDAPv3. These changes should arrive in the feed in the next few days.

2 Likes