[midPoint] Security Advisory: AD and LDAP connectors do not check certificate validity

Radovan Semancik radovan.semancik at evolveum.com
Wed Apr 17 16:43:41 CEST 2019 

Date: 17 Apr 2019
Severity: High (CVSS 8.0)
Affected versions: all AD and LDAP connector versions (indirectly: all 
midPoint versions)
Fixed in versions: 2.1, 1.6.1

Description

LDAP and Active Directory connectors are not properly checking TLS/SSL 
certificate validity.

Severity and Impact

This is high-severity issue. The connections are open to 
man-in-the-middle attack. The severity of this attack may be limited by 
the fact, that in many midPoint deployments the AD and LDAP connections 
are established over a trusted networks. However, as midPoint is 
transferring sensitive information over such connections user are 
advised to mitigate this issue immediately.

Mitigation

LDAP and LDAP-based Active Directory connectors that are used by in 
supported midPoint versions were fixed. MidPoint deployments should 
update the LDAP/AD connector bundle as soon as possible. Recommended 
connector verisions:

midPoint 3.9 and later: LDAP connector bundle version 2.1
midPoint 3.6.x, 3.7.x, 3.8.x: LDAP connector bundle version 1.6.1

Discussion and Explanation

Those LDAP-based connectors are using Apache Directory API as a library 
to access LDAP servers. The default setting of Apache Directory API was 
to use "no verification" trust manager. Therefore certificate 
verification was skipped. It is not clear whether this was the original 
default or whether it was changed during the course of LDAP connector 
development, therefore we consider all pre-existing LDAP and AD 
connector versions as vulnerable.

Connector code was updated to use system trust manager as a default 
choice. New configuration option allowUntrustedSsl was provided for the 
cases when certification validation needs to be skipped by purpose.

Credit

Variants of this issue were reported by Martin Lizner, who has also 
contributed the fix for this issue. The report was processed by the 
means of EU-Free and Open Source Software Auditing (EU-FOSSA2) project.

See Also

https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+AD+and+LDAP+connectors+do+not+check+certificate+validity

-- 
Radovan Semancik
Software Architect
evolveum.com

More information about the midPoint mailing list