Microsoft Urges LDAP Workaround Fix for Windows Systems

Microsoft updated an August security advisory this week to urge organizations using the Lightweight Directory Access Protocol (LDAP) in supported Windows systems to implement some configuration changes manually.

The details are described in this Windows support article, dated September 10. In addition, Microsoft updated its August security advisory ADV190023, which now includes similar information about carrying out a workaround fix for LDAP.

In essence, organizations are being asked to add LDAP channel binding and LDAP signing configuration changes to make authentications via LDAP on Active Directory Domain Controllers more secure. Currently, out-of-box LDAP configurations are subject to an elevation-of-privilege vulnerability, which could get exploited via a “man-in-the-middle” attack.

Here’s how the support article characterized the vulnerability, which potentially lets attackers impersonate end users and change packet information:

Unsigned network traffic is susceptible to replay attacks in which an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. Additionally, unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures packets between the client and the server, changes the packets, and then forwards them to the server. If this occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.

LDAP is an industry standard, but it’s used in Windows systems to “read from and write to the Active Directory database,” Microsoft explained in this old blog post.

Microsoft is planning to issue a patch that will automatically implement these recommended LDAP configuration changes. The patch will be arriving via the Windows Update service, starting “in mid-January 2020.” Microsoft actually is delaying the release of this patch to accommodate organizations that only make their configuration changes after the holiday season.

In the meantime, though, Microsoft wants organizations to add the configuration changes manually. However, organizations making the recommended changes could encounter “compatibility issues.”

“If any compatibility issue is found, administrators will need to contact the manufacturer of that particular OS, application or device for support,” Microsoft warned in the “Recommended Actions” section of its support article. Applications or devices that carry out “man-in-the-middle inspection of LDAP traffic” could get affected by the changes, too.

Check out these relevant resources.

New Survey Finds...

Active Directory forest recovery not taken serious enough. See what else your peers had to say.