Environment
Host Access Management and Security Server (MSS)
Reflection for the Web (RWeb) 12.2 and earlier
Microsoft Windows Servers
Lightweight Directory Access Protocol (LDAP)
Port 389/3268
Port 636/3269
Situation
Microsoft has issued a Security Advisory (ADV190023) which addresses a vulnerability with the default LDAP configuration in Windows Servers. The advisory recommends changing settings for LDAP channel binding and LDAP signing.
The recommended changes will mitigate an attacker's ability to elevate privileges and create a man-in-the-middle situation.
Resolution
Follow the Security Advisory's recommended actions: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
Micro Focus' Management and Security Server (MSS) already supports these
settings. MSS only needs to be configured for LDAPS on port 636 or
3269. It is recommended customers move to LDAPS when possible to avoid
potential compatibility issues if Microsoft changes their default
properties via a Service Pack or Security Update.
Cause
Earlier versions of Windows Servers did not enable sufficient security settings to thwart off this type of attack.
Status
Security AlertAdditional Information
Microsoft has implemented these changes in newer version of their
operating systems. They may or may not change the default properties to
enable these settings in future Service Packs or Security Updates.