[ldapext] LDAP and the TLS renegotiation vulnerabilities
Kurt Zeilenga <Kurt.Zeilenga@isode.com> Wed, 11 November 2009 07:36 UTC
Return-Path: <Kurt.Zeilenga@isode.com>
X-Original-To: ldapext@core3.amsl.com
Delivered-To: ldapext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 329A73A6A24 for <ldapext@core3.amsl.com>; Tue, 10 Nov 2009 23:36:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[AWL=-0.551, BAYES_00=-2.599, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ufxvHusqMeE8 for <ldapext@core3.amsl.com>; Tue, 10 Nov 2009 23:36:09 -0800 (PST)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by core3.amsl.com (Postfix) with ESMTP id CDDE63A6C2C for <ldapext@ietf.org>; Tue, 10 Nov 2009 23:36:08 -0800 (PST)
Received: from [192.168.1.102] ((unknown) [75.141.233.128]) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <SvppfwAJmTnz@rufus.isode.com> for <ldapext@ietf.org>; Wed, 11 Nov 2009 07:36:35 +0000
X-SMTP-Protocol-Errors: NORDNS
From: Kurt Zeilenga <Kurt.Zeilenga@isode.com>
Date: Tue, 10 Nov 2009 23:35:51 -0800
Message-Id: <E5FC1A3D-64EA-4CB1-9F32-1B3E7C331810@isode.com>
To: ldapext <ldapext@ietf.org>
X-Mailer: Apple Mail (2.1076)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Subject: [ldapext] LDAP and the TLS renegotiation vulnerabilities
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2009 07:36:10 -0000
Over the last few days I took some time to study into how LDAP is impacted by the TLS renegotiation vulnerability. This note discusses my preliminary findings. Suggested reading: http://extendedsubset.com/?p=8 http://extendedsubset.com/Renegotiating_TLS.pdf http://www.ietf.org/id/draft-rescorla-tls-renegotiation-00.txt Discussion: First, disabling TLS renegotiations in the server prevents all of these attacks discussed below. Unfortunately, doing this will have some negative impacts. But it might be best short term solution, but it's not without some issues and may be inappropriate for some deployments (such as those relying on long-lived TLS protected LDAP sessions). Assuming TLS renegotiations are enabled in the server.... The most significant impact LDAP is in servers supporting the non- standard "implicit bind" (or "auto bind") feature. This feature, which dates back to LDAPv2 and SSL days, provides for use of client certificates to establish the client's identity without a requirement to perform a LDAP Bind operation. That is, the client would simply assert its certificate as part of the TLS handshake and the server would, if the certificate was acceptable, process all future operations as the identity it associates with the certificate. The attacker can use the TLS renegotiation vulnerability to cause the server to process any request, including update requests, as the identity associated with the client's certificate. Aside from disabling TLS renegotiating in the server, disabling LDAP 'implicit bind' feature prevents this. There is little excuse for clients not to be doing StartTLS + LDAP SASL EXTERNAL Bind. A milder impact to LDAP is in clients which do: StartTLS ++ establish TLS, assert certificate + LDAP SASL EXTERNAL Bind + subsequent LDAP requests Because the LDAP SASL EXTERNAL BIND requests tend to have a predictable encoding and the TLS vulnerabilities allow for prefixing arbitrary data, it is possible for the attacker to construct an LDAP Simple "anonymous" Bind which eclipses the LDAP SASL EXTERNAL BIND and, hence, causes the subsequent LDAP requests to be processed "anonymously" instead of as the identity associated with the client's certificate. This could lead to the client thinking some resources were absent when they actually exist. There are variants of this scenario but this seems to be the most interesting. Aside from disabling TLS renegotiating in the server, this particular attack can be mitigated by the client by initiating and completing LDAP search operation, such as as a read of the Root DSE, after the TLS handshake but before initiating the LDAP SASL EXTERNAL Bind request. There may well be other possible attacks. Recommendations: Disable TLS renegotiations in the server. Disable 'implicit bind' in the server. Clients should use LDAPv3's StartTLS + SASL EXTERNAL instead. Clients providing client certificates in TLS handshakes might consider doing an LDAP Search before the LDAP SASL EXTERNAL Bind as discussed above. Implement support in clients and servers for the TLS protocol fix (draft-rescorla-tls-renegotiation). Early implementations of this fix in commonly used TLS libraries are already emerging. Summary: The TLS renegotiation vulnerability can be used to mount attacks upon LDAP applications, especially those relying on non-standard LDAP 'implicit' binds. A fix to TLS (draft-rescorla-tls-renegotiation) is in the works and LDAP vendors should start work on supporting it. By following the above recommendations, the impact of the TLS renegotiation issues upon LDAP can be minimized. -- Kurt NOTE: I have purposely left off key details on how to mount such attacks to slow unskilled attackers.
- [ldapext] LDAP and the TLS renegotiation vulnerab… Kurt Zeilenga
- Re: [ldapext] LDAP and the TLS renegotiation vuln… Michael Ströder