LDAP Server NULL Bind Connection Information Disclosure

This script is Copyright (C) 2001-2012 Tenable Network Security, Inc.


Synopsis :

The remote LDAP server allows anonymous access.

Description :

The LDAP server on the remote host is currently configured such that a
user can connect to it without authentication - via a 'NULL BIND' -
and query it for information. Although the queries that are allowed
are likely to be fairly restricted, this may result in disclosure of
information that an attacker could find useful.

This plugin does not identify servers that use LDAP v3 since
anonymous access -- a 'NULL BIND' -- is required by that version
of the protocol.

Solution :

Configure the service to disallow NULL BINDs.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Family: Misc.

Nessus Plugin ID: 10723 (ldap_null_bind.nasl)

Bugtraq ID:

CVE ID: