This is a lightweight client-server protocol that runs over TCP/IP or other connection-oriented transfer services. It is used for accessing and maintaining directory information services. The core functionality of LDAP lies in the interaction between the client and the LDAP server. When a client makes a request to the LDAP server, the request is sent to the LDAP server; the server processes the entire transaction and then sends the results of the transaction back to the client. This is different from other protocols where the server and the client may communicate several times during one transaction. In the default configuration, LDAP listens on port 389/TCP or port 389/UDP.
A server that uses connectionless LDAP (CLDAP), a variant of LDAP that uses UDP as its transport protocol, and which is openly accessible on the Internet may be abused for a Distributed Denial-of-Service (DRDoS) Reflection/Amplification attack against a third party. Extremely high amplification factors can be achieved by combining the functionality of both UDP and LDAP to amplify the amount of attack traffic which poses a serious security threat.
LDAP is used by attackers to perform reconnaissance, the process of investigating and identifying weak spots in an organization’s network. Mapping an organisation’s attack surface and analyzing the domain for critical data, misconfigurations or system vulnerabilities, helps attackers plan their attacks and establish a foothold that eventually leads to compromise.
Recommended Actions
On the firewall, restrict access to the LDAP server to trusted clients by blocking incoming connections to port 389/TCP and port 389/UDP.
LDAP transmits communications in clear text. Credentials are passed over the network unencrypted. The implementation of StartTLS (LDAP over TLS) or LDAPS (LDAP over TLS/SSL) provides secure and encrypted communication between client and LDAP server.
Reference Material
CVE.mitre.org is also another useful site and by searching their “CVE list” and typing in the Vulnerability they can help identify and mitigate the issue:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3936
Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 is vulnerable to denial of service via a crafted request to TCP port 389. The request will force the slideshow to transition into a “stopped” state. A remote, unauthenticated attacker can use this vulnerability to stop an active slideshow.
https://cve.mitre.org/https://www.ncsc.gov.ie/emailsfrom/DDoS/LDAP/