× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



It is a minor vulnerability as it potentially exposes information about
your environment that may be useful to an attacker. It doesn't grant
access but may make an attack easier.

However, it is also just the server working as designed; the vulnerability
is baked into the spec.

If you don't use LDAP, turn it off (ditto for all services; they can't be
exploited if they aren't running).
If you don't do client authentication to the i (intraserver only), block
LDAP at the network boundary between the user & i's LAN segments.
If disabling the null requests won't break your environment (needs
testing!), disable that feature. This may be possible on the i via a
configuration change; if not, a network appliance like a content-aware
firewall or an intrusion prevention system (IPS) can drop null requests.



On Tue, May 14, 2013 at 7:15 AM, Mike Cunningham <mike.cunningham@xxxxxxx>wrote:

It came from a Nessus scan our data security officer runs monthly. Flagged
as a Medium level threat

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:
midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Roger Harman
Sent: Tuesday, May 14, 2013 2:19 AM
To: 'Midrange Systems Technical Discussion'
Subject: RE: LDAP null base search

Is it really a vulnerability? The link you provided states that a null
base search is required on a V3 LDAP. The docs that I looked at from IBM
note that IBM-i implements V3 of LDAP.


http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=%2Frza
hy%2Frzahyconcepts.htm



-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Mike Cunningham
Sent: Monday, May 13, 2013 7:33 PM
To: Midrange Systems Technical Discussion
Subject: LDAP null base search

http://www.tenable.com/plugins/index.php?view=single&id=10722

Our i Server was tagged as having a security issue due to allowing an LDAP
null base search. I have been trying to find some reference to how to close
this hole but coming up blank on google searches. I got a few hits but
nothing about how to turn it off. Has anyone else hit this and know how to
close it?

Mike Cunningham




--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.





As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.