PowerProtect DP Series Appliance and IDPA: LDAP Anonymous Directory Access Permitted on Appliance Configuration Manager.

摘要: A customer reported the following vulnerability on their DP4400 running IDPA version 2.7.1. The Lightweight Directory Access Protocol (LDAP) can be used to provide information about users, groups, etc. The LDAP service on this system allows anonymous connections. Access to this information by malicious users may assist them in launching further attacks. ...

本文适用于 本文不适用于 本文并非针对某种特定的产品。 本文并非包含所有产品版本。
查看其他资源

症状

Customer is using an IDPA DP4400 system with internal LDAP and they are experiencing  anonymous LDAP bind security issue after performing a security scan on the IDPA system.

原因

ACM has LDAP Anonymous Directory Access resulting in malicious users can get access to users, groups etc.

解决方案

NOTE: After disabling the LDAP anonymous lookup in ACM, it triggers a code exception in the current ACM password-changing workflow on or before IDPA software version 2.7.3. In case a password change is required post implementing this security solution, please follow KB 000212941 to re-enable the LDAP anonymous lookup in ACM. When the password change is completed successfully, then the LDAP anonymous lookup can be disabled again.


Use following steps to disable LDAP anonymous Directory access on Appliance Configuration Manager.

1. Open SSH on ACM and login as 'root' user. 


2.Restart LDAP using the following command: systemctl restart slapd

3. Create ldif file using the following command:
  
vi /etc/openldap/ldap_disable_bind_anon.ldif

Paste the following content in the file: 
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

Then run the following command on ACM:
  
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldap_disable_bind_anon.ldif 

Sample Output 
acm-xxxx:~ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldap_disable_bind_anon.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

modifying entry "cn=config"

modifying entry "olcDatabase={-1}frontend,cn=config"

4. Run the following command to test the fix has been put in place:

On versions 2.6 and above, run the following command: 
ldapsearch -x -b "dc=idpa,dc=local" "*" -h <ACM_IP_ADDRESS_OR_FQDN> |awk '/dn: / {print $2}'

On versions 2.5 and below, run the following command: 
ldapsearch -x -b "dc=idpa,dc=com" "*" -h <ACM_IP_ADDRESS_OR_FQDN> |awk '/dn: / {print $2}'

Sample Output: 
acm-xxxxx:~ # ldapsearch -x -b "dc=idpa,dc=local" "*" -h acm-5800-crk.dp.ce.gslabs.lab.emc.com |awk '/dn: / {print $2}'
ldap_bind: Inappropriate authentication (48)
        additional info: anonymous bind disallowed

其他信息

NOTE: An issue has been reported after following the above KB.

After disabling the LDAP anonymous lookup in ACM, it triggers a code exception in the current ACM password-changing workflow on or before IDPA software version 2.7.3. In case password change is required on the appliance post disabling LDAP anonymous access, please follow Article 000212941 to re-enable the LDAP anonymous lookup in ACM. When the password change is completed successfully, then the LDAP anonymous lookup can be disabled again.

image.png
In case a password change is required, please follow Article 000212941 to re-enable the LDAP anonymous lookup in ACM. When the password change is completed successfully, then the LDAP anonymous lookup can be disabled again.

受影响的产品

PowerProtect Data Protection Software, Integrated Data Protection Appliance Family, Integrated Data Protection Appliance Software

产品

PowerProtect DP4400, PowerProtect DP5300, PowerProtect DP5800, PowerProtect DP8300, PowerProtect DP8800, PowerProtect DP5900, PowerProtect DP8400, PowerProtect DP8900
文章属性
文章编号: 000196092
文章类型: Solution
上次修改时间: 03 5月 2023
版本:  7
从其他戴尔用户那里查找问题的答案
支持服务
检查您的设备是否在支持服务涵盖的范围内。