News

Limited LDAP Vulnerability Surfaces

• By Scott Bekker
• June 26, 2001

In a software bulletin, Microsoft acknowledged that the vulnerability could result in an attacker gaining Administrator privileges on compromised systems.

Observers agree that the scope of this latest vulnerability is extremely limited. It only affects Windows 2000 systems that have been configured to support LDAP over SSL sessions.

"You're not vulnerable by default, as you can see you have to have taken some pretty significant steps to configure your machine into a vulnerable situation," wrote Russ Cooper, editor of the NTBugtraq Mailing List, in a subscriber bulletin.

According to Microsoft, the LDAP vulnerability exploits a function in LDAP-over-SSL that is designed to allow users to make changes to the data attributes of directory principals.

Microsoft acknowledged that the problem occurs because the function at issue -- which ordinarily checks a user's authorization prior to completing a request -- actually doesn't check for authorization in cases where the directory principal is a domain user and the data attribute a domain password.

"When this is the case, the function fails to check the permissions of the requester, with the result that it could be possible for a user to change any other user's domain login password," the Microsoft security bulletin says.

The LDAP vulnerability opens up a variety of scenarios, Microsoft confirmed. In most cases, an attacker could change another user's password to either perpetrate a denial of service attack by preventing the affected user from logging on, or by logging into a user's account to gain any privileges that he or she might possess. In the most serious case, an attacker could compromise an account with domain administrative privileges and log into his or her account. An attacker who perpetrates an infiltration of this type could gain complete control over a Windows 2000 Server or Windows 2000 Advanced Server.

Microsoft urges IT organizations that are affected by this latest vulnerability to patch their systems immediately. The problem is exacerbated because the vulnerable function can be exploited by anyone who can connect to the LDAP server - including anonymous users.

NTBugtraq's Cooper points out that the LDAP vulnerability is mitigated by a variety of factors. If this vulnerability is to be successfully exploited, he noted, administrators must first have installed an Enterprise Certificate Authority and issued a valid certificate on a Windows 2000 Domain Controller. Secondly, he continued, IT organizations must also have modified their domain policies to allow domain controllers to use certificate requests for the purposes of authentication.

Microsoft also indicated that IT organizations that have configured their firewalls or routers to block traffic on TCP port 636, which facilitates LDAP-over-SSL, are safe from the latest vulnerability.

"Typically such traffic would not occur across the Internet, so [it's] unlikely that you're vulnerable to an outside attack," Cooper observed.

One potential complication associated with the new vulnerability is the fact that LDAP-over-SSL support is sometimes enabled by IT organizations as part of an effort to ratchet up security in their Windows 2000 environments.

"Problem is, the actions above are intended to make your box more secure, so vulnerable systems are sensitive with critical data on them," Cooper says. -- Stephen Swoyer