Emmanuel Lecharny wrote: > Howard Chu wrote: >> Ludovic Poitou wrote: >> >>> Howard, >>> >>> Our security expert at Sun consider that the attack could be applied to >>> LDAP, although it will be more complex to achieve for all the good >>> reasons you've outline (session-oriented, with explicit authentication >>> attached to a session, and is a record-oriented ASN.1 encoded protocol >>> with precisely defined message structure). >>> The renegotiation in the attack is as far as I understand, driven by the >>> man in the middle, and so even though OpenLDAP slapd never request the >>> renegociation, it is still subject to the attack.
>> Hi Ludo, thanks for the note. Kurt and I were discussing this offline and he >> has suggested a possible attack as well. I'm still not convinced of the >> details but we'll continue to investigate. > Wondering if we (ApacheDS) can be a possible target, assuming that we > are Java based. Any idea ? Kurt will be posting a more extensive message on the topic later. I suppose your degree of exposure depends on certain details of your implementation of ldaps:// and/or StartTLS. In the case of OpenLDAP, it is impossible for a MITM to perform a privilege escalation with this attack. There are other things an attacker could do, such as nullifying a particular client request. It amounts to being able to DOS a specific client or a specific user, which is interesting and annoying, but also highly traceable... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
