[Samba] LDAP NULL BASE Search Access to Samba4
I Am Netizen
iamnetizen at gmail.com
Sat Oct 4 10:28:14 MDT 2014
Recently, i scanned my samba4.1 server by Nessus (a vulnerability scanner
tool - http://www.tenable.com/products/nessus)
Nessus says that Samba4 is vulnerable to "LDAP NULL BASE Search Access" as
"The remote LDAP server may disclose sensitive information."
Further it says that - The remote LDAP server supports search requests with
a null, or empty, base object. This allows information to be retrieved
without any prior knowledge of the directory structure. Coupled with a NULL
BIND, an anonymous user may be able to query your LDAP server using a tool
such as 'LdapMiner'.
Here is Nessus Link for this vulnerability -
http://www.tenable.com/plugins/index.php?view=single&id=10722
Can anyone through some light on this?
More information about the samba
mailing list