org.sonar.l10n.py.rules.python.S4433.html Maven / Gradle / Ivy
Lightweight Directory Access Protocol (LDAP) servers provide two main authentication methods: the SASL and Simple ones. The
Simple Authentication method also breaks down into three different mechanisms:
- Anonymous Authentication
- Unauthenticated Authentication
- Name/Password Authentication
A server that accepts either the Anonymous or Unauthenticated mechanisms will accept connections from clients not providing
credentials.
Why is this an issue?
When configured to accept the Anonymous or Unauthenticated authentication mechanism, an LDAP server will accept connections from clients that do
not provide a password or other authentication credentials. Such users will be able to read or modify part or all of the data contained in the hosted
directory.
What is the potential impact?
An attacker exploiting unauthenticated access to an LDAP server can access the data that is stored in the corresponding directory. The impact
varies depending on the permission obtained on the directory and the type of data it stores.
Authentication bypass
If attackers get write access to the directory, they will be able to alter most of the data it stores. This might include sensitive technical data
such as user passwords or asset configurations. Such an attack can typically lead to an authentication bypass on applications and systems that use the
affected directory as an identity provider.
In such a case, all users configured in the directory might see their identity and privileges taken over.
Sensitive information leak
If attackers get read-only access to the directory, they will be able to read the data it stores. That data might include security-sensitive pieces
of information.
Typically, attackers might get access to user account lists that they can use in further intrusion steps. For example, they could use such lists to
perform password spraying, or related attacks, on all systems that rely on the affected directory as an identity provider.
If the directory contains some Personally Identifiable Information, an attacker accessing it might represent a violation of regulatory requirements
in some countries. For example, this kind of security event would go against the European GDPR law.
How to fix it
Code examples
The following code indicates an anonymous LDAP authentication vulnerability because it binds to a remote server using an Anonymous Simple
authentication mechanism.
Noncompliant code example
import ldap
def init_ldap():
connect = ldap.initialize('ldap://example:1389')
connect.simple_bind('cn=root') # Noncompliant
connect.simple_bind_s('cn=root') # Noncompliant
connect.bind_s('cn=root', None) # Noncompliant
connect.bind('cn=root', None) # Noncompliant
Compliant solution
import ldap
import os
def init_ldap():
connect = ldap.initialize('ldap://example:1389')
connect.simple_bind('cn=root', os.environ.get('LDAP_PASSWORD'))
connect.simple_bind_s('cn=root', os.environ.get('LDAP_PASSWORD'))
connect.bind_s('cn=root', os.environ.get('LDAP_PASSWORD'))
connect.bind('cn=root', os.environ.get('LDAP_PASSWORD'))
Resources
Documentation
- RFC 4513 - Lightweight Directory Access Protocol (LDAP): Authentication
Methods and Security Mechanisms - Bind operations
Standards