Grur Öndarö contributed as a second author to the paper LanDscAPe: Exploring LDAP Weaknesses and Data Leaks at Internet Scale, which was published at the internationally renowned Usenix Security Symposium 2024. In their work, the researchers conducted a comprehensive security analysis of publicly accessible LDAP (Lightweight Directory Access Protocol) servers on the internet and uncovered numerous vulnerabilities.
Personal Data and Passwords
LDAP servers are used for identity management and authentication within organizations, often storing sensitive personal data such as usernames, email addresses, and passwords. Using their custom-built tool LanDscAPe, the researchers scanned the entire IPv4 address space and identified over 82,000 LDAP servers. Among these, more than 10,000 servers were found with insecure configurations. Furthermore, 4,900 of these servers exposed personal data, and 1,800 even leaked passwords, either in hashed or plaintext form. In total, 3.9 million passwords were found.
Insecure Communication and Insufficient Update Policy
A significant portion of LDAP servers use outdated and insecure TLS configurations, making them vulnerable to man-in-the-middle attacks. For example, only 65.92% of TLS-capable servers used recommended encryption methods. Additionally, the analysis revealed 616 servers with known vulnerabilities (CVE). Moreover, over 9,700 servers were found leaking sensitive internal information that could be exploited for reconnaissance or targeted attacks against organizations.
Internal Corporate Information
The investigation also demonstrated how easily attackers could obtain valuable information about organizations. The exposed LDAP servers often revealed details about the internal structure and configuration of organizations, which could be used in social engineering attacks or for reconnaissance in cyberattacks. The researchers found that certain servers not only leaked user credentials but also potentially critical internal details such as password policies, which could make password cracking easier.
Responsible Disclosure
To mitigate these risks, a coordinated disclosure campaign was launched, collaborating with a national CERT to notify the affected organizations. A follow-up investigation conducted three months later showed that around 26% of the servers leaking credentials were no longer publicly accessible, highlighting the effectiveness of the notification efforts.
Summary and Outlook
Additionally, their study revealed concerning practices, such as the use of LDAPv2, an outdated protocol version, by some servers and the fact that many servers returned data without any authentication. These findings suggest that LDAP, despite being crucial for many organizations, has not received the necessary attention from administrators, leading to serious security risks.
This research emphasizes the need for organizations to reassess and improve the security configurations of their LDAP servers. Given the widespread exposure of sensitive data and the potential consequences of these security gaps, addressing these issues is essential to protect both organizational and user data from malicious actors.