PowerProtect DP Series Appliance and IDPA: LDAP Anonymous Directory Access Permitted on Appliance Configuration Manager.
Riepilogo: A customer reported the following vulnerability on their DP4400 running IDPA version 2.7.1. The Lightweight Directory Access Protocol (LDAP) can be used to provide information about users, groups, etc. The LDAP service on this system allows anonymous connections. Access to this information by malicious users may assist them in launching further attacks. ...
Questo articolo si applica a
Questo articolo non si applica a
Questo articolo non è legato a un prodotto specifico.
Non tutte le versioni del prodotto sono identificate in questo articolo.
Sintomi
Customer is using an IDPA DP4400 system with internal LDAP and they are experiencing anonymous LDAP bind security issue after performing a security scan on the IDPA system.
Causa
ACM has LDAP Anonymous Directory Access resulting in malicious users can get access to users, groups etc.
Risoluzione
NOTE: After disabling the LDAP anonymous lookup in ACM, it triggers a code exception in the current ACM password-changing workflow on or before IDPA software version 2.7.3. In case a password change is required post implementing this security solution, please follow KB 000212941 to re-enable the LDAP anonymous lookup in ACM. When the password change is completed successfully, then the LDAP anonymous lookup can be disabled again.
Use following steps to disable LDAP anonymous Directory access on Appliance Configuration Manager.
1. Open SSH on ACM and login as 'root' user.
2.Restart LDAP using the following command: systemctl restart slapd
3. Create ldif file using the following command:
vi /etc/openldap/ldap_disable_bind_anon.ldif
Paste the following content in the file:
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
Then run the following command on ACM:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldap_disable_bind_anon.ldif
Sample Output
acm-xxxx:~ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldap_disable_bind_anon.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "olcDatabase={-1}frontend,cn=config"
4. Run the following command to test the fix has been put in place:
On versions 2.6 and above, run the following command:
ldapsearch -x -b "dc=idpa,dc=local" "*" -h <ACM_IP_ADDRESS_OR_FQDN> |awk '/dn: / {print $2}'
On versions 2.5 and below, run the following command:
ldapsearch -x -b "dc=idpa,dc=com" "*" -h <ACM_IP_ADDRESS_OR_FQDN> |awk '/dn: / {print $2}'
Sample Output:
acm-xxxxx:~ # ldapsearch -x -b "dc=idpa,dc=local" "*" -h acm-5800-crk.dp.ce.gslabs.lab.emc.com |awk '/dn: / {print $2}'
ldap_bind: Inappropriate authentication (48)
additional info: anonymous bind disallowedInformazioni aggiuntive
NOTE: An issue has been reported after following the above KB.
After disabling the LDAP anonymous lookup in ACM, it triggers a code exception in the current ACM password-changing workflow on or before IDPA software version 2.7.3. In case password change is required on the appliance post disabling LDAP anonymous access, please follow Article 000212941 to re-enable the LDAP anonymous lookup in ACM. When the password change is completed successfully, then the LDAP anonymous lookup can be disabled again.
In case a password change is required, please follow Article 000212941 to re-enable the LDAP anonymous lookup in ACM. When the password change is completed successfully, then the LDAP anonymous lookup can be disabled again.
After disabling the LDAP anonymous lookup in ACM, it triggers a code exception in the current ACM password-changing workflow on or before IDPA software version 2.7.3. In case password change is required on the appliance post disabling LDAP anonymous access, please follow Article 000212941 to re-enable the LDAP anonymous lookup in ACM. When the password change is completed successfully, then the LDAP anonymous lookup can be disabled again.
In case a password change is required, please follow Article 000212941 to re-enable the LDAP anonymous lookup in ACM. When the password change is completed successfully, then the LDAP anonymous lookup can be disabled again.
Prodotti interessati
PowerProtect Data Protection Software, Integrated Data Protection Appliance Family, Integrated Data Protection Appliance SoftwareProdotti
PowerProtect DP4400, PowerProtect DP5300, PowerProtect DP5800, PowerProtect DP8300, PowerProtect DP8800, PowerProtect DP5900, PowerProtect DP8400, PowerProtect DP8900Proprietà dell'articolo
Numero articolo: 000196092
Tipo di articolo: Solution
Ultima modifica: 03 mag 2023
Versione: 7
Trova risposta alle tue domande dagli altri utenti Dell
Support Services
Verifica che il dispositivo sia coperto dai Servizi di supporto.