CFS-2020-002: LDAP Signing and LDAP Channel Binding

Issue Date: 2020/08/13
Updated Date: 2020/08/13
Title: LDAP Signing and LDAP Channel Binding
Classification: Low
Status: Closed
Affected Products: CLOUDFS – All Supported Versions

Summary

Security Vulnerabilities related to LDAP Channel Binding and LDAP Signing

Details

LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers. A set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory domain controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. This can open Active Directory domain controllers to an elevation of privilege vulnerability.

For more information, refer here:
Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
Configuration: https://support.microsoft.com/en-in/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

Resolution

In order to address this vulnerability, Panzura requires all Customers switch to a signed secure LDAP bind from an unsigned insecure LDAP bind to prevent any man in the middle attacks. This change can be implemented by allowing the Active Directory Domain Controller in a customer’s environment to accept only signed and secure LDAP queries.