LanDscAPe: Exploring LDAP Weaknesses and Data Leaks at Internet Scale

Authors: 

Jonas Kaspereit and Gurur Öndarö, Münster University of Applied Sciences; Gustavo Luvizotto Cesar, University of Twente; Simon Ebbers, Münster University of Applied Sciences; Fabian Ising, Fraunhofer SIT and National Research Center for Applied Cybersecurity ATHENE; Christoph Saatjohann, Münster University of Applied Sciences, Fraunhofer SIT, and National Research Center for Applied Cybersecurity ATHENE; Mattijs Jonker, University of Twente; Ralph Holz, University of Twente and University of Münster; Sebastian Schinzel, Münster University of Applied Sciences, Fraunhofer SIT, and National Research Center for Applied Cybersecurity ATHENE

Abstract: 

The Lightweight Directory Access Protocol (LDAP) is the standard technology to query information stored in directories. These directories can contain sensitive personal data such as usernames, email addresses, and passwords. LDAP is also used as a central, organization-wide storage of configuration data for other services. Hence, it is important to the security posture of many organizations, not least because it is also at the core of Microsoft's Active Directory, and other identity management and authentication services.

We report on a large-scale security analysis of deployed LDAP servers on the Internet. We developed LanDscAPe, a scanning tool that analyzes security-relevant misconfigurations of LDAP servers and the security of their TLS configurations. Our Internet-wide analysis revealed more than 10k servers that appear susceptible to a range of threats, including insecure configurations, deprecated software with known vulnerabilities, and insecure TLS setups. 4.9k LDAP servers host personal data, and 1.8k even leak passwords. We document, classify, and discuss these and briefly describe our notification campaign to address these concerning issues.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {299774,
author = {Jonas Kaspereit and Gurur {\"O}ndar{\"o} and Gustavo Luvizotto Cesar and Simon Ebbers and Fabian Ising and Christoph Saatjohann and Mattijs Jonker and Ralph Holz and Sebastian Schinzel},
title = {{LanDscAPe}: Exploring {LDAP} Weaknesses and Data Leaks at Internet Scale},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {1225--1242},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/kaspereit},
publisher = {USENIX Association},
month = aug
}

Presentation Video