LDAP Server NULL Bind Connection Information Disclosure

Medium Nessus Plugin ID 10723

Synopsis

The remote LDAP server allows anonymous access.

Description

The LDAP server on the remote host is currently configured such that a user can connect to it without authentication - via a 'NULL BIND' - and query it for information. Although the queries that are allowed are likely to be fairly restricted, this may result in disclosure of information that an attacker could find useful.

This plugin does not identify servers that use LDAP v3 since anonymous access -- a 'NULL BIND' -- is required by that version of the protocol.

Solution

Configure the service to disallow NULL BINDs.

Plugin Details

Severity: Medium

ID: 10723

File Name: ldap_null_bind.nasl

Version: 1.34

Type: remote

Family: Misc.

Published: 2001/08/13

Modified: 2018/11/28

Dependencies: 20870

Risk Information

Risk Factor: Medium

CVSS Score Source: manual

CVSS Score Rationale: Score based on potential information disclosure.

CVSS v2.0

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3.0

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Vulnerability Information

Vulnerability Publication Date: 1999/03/15