Knowledge Base

Ask A Question

Questions

2

CLDAP Reflection Vulnerability Check

I've been tasked with writing a check for our organization to locate systems vulnerable to connectionless ldap reflection vulnerabilities. Writing a check doesn't look like it will be difficult, however, writing an efficient check that follows best practice may be a slightly different story. So I'm asking for input. Looking through existing checks that interact with ldap I see either java JNDI libraries being called for interactions or mostly banner based checks for anything newer. I'm curious as it looks like CLDAP is now classified as 'Historic' "http://www.rfc-editor.org/rfc/rfc3352.txt" and what I've found so far is that CLDAP isn't listed as a supported protocol that I've been able to find in the library's documentation. "https://docs.oracle.com/javase/7/docs/technotes/guides/jndi/jndi-ldap.html" would it be best practice to rely on nmap to locate and define the protocol on UDP;389 and then flag it as vulnerable or to build a message for the protocol and confirm the response within a nexpose check? looking at the deployed ./rapid7/nexpose/nse/nmap/nmap-payloads for the current installation; I don't see the connectionless ldap probe content introduced to nmap back in 2016 (from around when this was initially being touted as a big deal). The pull request for the probe content -> https://github.com/nmap/nmap/pull/354 For the short term, I'm deploying the probe content to my scan engines to see if just using the nmap service detection will be reliable enough. As of right now, Nexpose can't detect the LDAP service on UDP port 389 at all because the port doesn't affirmatively respond without an appropriate probe in the request payload. Initial resource describing the issue in detail: https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf

Posted by BrianWGray 7 months ago