SECURITY: execute_ldapsearch() in /common/util.hpp doesn't appear to be using channel binding.

[3BK]

I'm sure you know but just in case, there is a 50+% chance that the execute_ldapsearch() method in /common/util.hpp is not using channel binding.

https://support.microsoft.com/en-us/topic/2020-2023-and-2024-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a

[3BK]

Added @bhallasaksham

[3BK]

Added @smhmhmd

[3BK]

Added @muskanlalit18

[3BK]

Hopefully the utility is no longer in use.

[3BK]

Channel signing

/etc/ldap/ldap.conf:

TLS_CACERT /path/to/trusted/ldap_ca

from the repository root:

sed -i 's/ldap\:\/\//ldaps\:\/\//g' ./common/util.hpp

[bhallasaksham]

Thanks for reaching out to us @3BK. Team is currently investigating and we'll get back to you once we have more information.

[3BK]

https://ldapwiki.com/wiki/Wiki.jsp?page=Channel%20Binding

[smhmhmd]

@3BK
ldapsearch in Credentials-fetcher currently uses a kerberos ticket, it is LDAP over kerberos.
Why do we need LDAP over kerberos over SSL ?

[3BK]

>Do we need LDAP over Kerberos over SSL ?

Good question. I would ask: - Jeffrey Altman, Secure Endpoints Inc. - Nicolas Williams, Two Sigma Solutions (Oracle) - Larry Zhu, Atlassian (Microsoft) My gut feeling is that they would say yes, absolutely. To phrase it another way, it depends on the {WHO, WHAT, WHEN, WHERE} tuple which you insert in place of the label "we" in your above question. There are at least three flavors of channel binding: - tls-exporter (tls1.3) - tls-unique (tls1.2) - tls-server-end-point (legacy)

[smhmhmd]

@3BK

Ok, this issue is an enhancement not a security vulnerability.
We will add this to the backlog, we can keep the issue open and keep you posted.

Is this okay with you ?

Thanks for filing the issue, by the way.

[smhmhmd]

@3BK

We would love to have a meeting with you, please email samiull at amazon dot com

[3BK]

Assuming the typical use case for a GMSA fetcher in AWS is an enterprise or industrial/manufacturing business unit - not a commercial or retail customer. (I.e. an educated customer.) And given that channel binding has been in the public domain for at least 15 years. And, if we were to squint real hard, then yes channel binding is an enhancement. Still, I would add a note saying that this fetcher, with its naked ldap call, is a solution template. It is best paired with an AWS site-to-site VPN tunnel. Customers with end-to-end privacy requirements such as ATO/ Fed ramp, health care, PCIDSS, etc. should review and tailor the template. For example, by adding channel signing, or channel binding.

[3BK]

@3BK

Ok, this issue is an enhancement not a security vulnerability. We will add this to the backlog, we can keep the issue open and keep you posted.

Is this okay with you ?

No issues. Thanks.

[3BK]

Background reading:

• Kitten channel binding RFC 9266
• MS AD hardening LDAP channel binding
• tls-exporter RFC 5705
• tls-unique RFC 5929
• Microsoft Security Advisory impact assessment ADV190023