Security Advisory: AD and LDAP connectors do not check certificate validity
Date: 17 April 2019
Severity: High (CVSS 8.0)
Affected versions: all AD and LDAP connector versions (indirectly: all midPoint versions)
Fixed in versions: 2.1, 1.6.1
LDAP and Active Directory connectors are not properly checking TLS/SSL certificate validity.
Severity and Impact
This is high-severity issue. The connections are open to man-in-the-middle attack. The severity of this attack may be limited by the fact, that in many midPoint deployments the AD and LDAP connections are established over a trusted networks. However, as midPoint is transferring sensitive information over such connections user are advised to mitigate this issue immediately.
LDAP and LDAP-based Active Directory connectors that are used by in supported midPoint versions were fixed. MidPoint deployments should update the LDAP/AD connector bundle as soon as possible. Recommended connector versions:
|Recommended LDAP/AD connector version
3.9 and later
3.6.x, 3.7.x, 3.8.x
As this severity issue, updated connector versions were released immediately.
Discussion and Explanation
Those LDAP-based connectors are using Apache Directory API as a library to access LDAP servers. The default setting of Apache Directory API was to use "no verification" trust manager. Therefore certificate verification was skipped. It is not clear whether this was the original default or whether it was changed during the course of LDAP connector development, therefore we consider all pre-existing LDAP and AD connector versions as vulnerable.
Connector code was updated to use system trust manager as a default choice.
New configuration option
allowUntrustedSsl was provided for the cases when certification validation needs to be skipped by purpose.
Variants of this issue were reported by Martin Lizner, who has also contributed the fix for this issue. The report was processed by the means of EU-Free and Open Source Software Auditing (EU-FOSSA2) project.