SV.LDAP.ANON

Incorrect authentication

The SV.LDAP.ANON checker detects whether anonymous LDAP binding is used when connecting to an LDAP server.

Vulnerability and risk

This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or with the ability to execute arbitrary code. Anonymous binding is an LDAP server function. Anonymous binding allows a client to connect and search the directory (bind and search) without logging in, because binddn and bindpasswd are not needed.

Vulnerable code example 1

1
2
3
4
5
   // Set up the environment for creating the initial context
   Hashtable<String, Object> env = new Hashtable<String, Object>();
   env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
   env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial");
   env.put(Context.SECURITY_AUTHENTICATION, "none"); // Using anonymous authentication

Klocwork reports an SV.LDAP.ANON defect on line 6, indicating, "Use of ldap authentication with anonymous bind can lead to successful authentication without password".

Fixed code example 1

1
2
3
4
5
   // Set up the environment for creating the initial context
   Hashtable<String, Object> env = new Hashtable<String, Object>();
   env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
   env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial");
   env.put(Context.SECURITY_AUTHENTICATION, "simple");

In this fixed example, Klocwork no longer reports a defect because a security authentication method is set on line 5 as "simple".

Vulnerable code example 2

1
2
3
4
   DirContext ctx = new InitialDirContext(env);
   ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "none"); 
         // another way of using anonymous authentication
   ctx.close();

Klocwork reports an SV.LDAP.ANON defect on line 2, indicating, "Use of ldap authentication with anonymous bind can lead to successful authentication without password".

Fixed code example 2

1
2
3
   DirContext ctx = new InitialDirContext(env);
   ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
   ctx.close();

In this fixed example, Klocwork no longer reports a defect because a security authentication method is set on line 2 as "simple".

External guidance

• CWE-287: Improper Authentication
• OWASP A7:2021 Identification and Authentication Failures

Security training

Application security training materials provided by Secure Code Warrior.

• Improper Authentication Training Video - Test your skills with a training example