Non-encrypted confidential information - LDAP - C-Sharp

Non-encrypted confidential information - LDAP - C-Sharp

Need

Secure storage and transmission of LDAP service credentials

Context

  • Usage of C# for developing robust and efficient applications
  • Usage of System.DirectoryServices.Protocols for interacting with directory services
  • Usage of System.Net for network communication in .NET development

Description

Non compliant code

        public class LdapService
{
    private string ldapUrl = "ldap://localhost:389";
    private string ldapUsername = "admin";
    private string ldapPassword = "password";

    public void Connect()
    {
        LdapConnection connection = new LdapConnection(new LdapDirectoryIdentifier(ldapUrl));
        connection.Credential = new NetworkCredential(ldapUsername, ldapPassword);
        connection.Connect();
    }
}
        
        

The above code represents a LDAP service connection in a C# application using ASP.NET Core. The LDAP service credentials such as the username and password are exposed in plain text.

The ldapUsername and ldapPassword variables are hard-coded and stored in plain text in the code. These credentials are used to create a new NetworkCredential object, which is then used to authenticate the LdapConnection.

This is a security vulnerability because anyone who has access to the source code can see these credentials. If the source code is stored in a version control system, then every person who has access to the repository can see these credentials. If the source code is leaked or published, then these credentials can be seen by potentially malicious actors.

This vulnerability could allow an attacker to gain unauthorized access to the LDAP service, leading to potential data loss, data manipulation, or further system compromise.

To mitigate this vulnerability, credentials should not be stored in plain text in the source code. Instead, they should be stored in a secure manner, such as using environment variables, or a secure secrets storage system.

Steps

  • Remove the hard-coded LDAP service credentials from the code.
  • Store the LDAP service credentials securely, such as in a configuration file or a secure key vault.
  • Encrypt the LDAP service credentials before storing them.
  • Retrieve the LDAP service credentials from the secure storage during runtime.
  • Use the retrieved credentials to establish the LDAP connection.
  • Ensure that the secure storage mechanism is properly secured and access-controlled.

Compliant code

        public class LdapService
{
    private IConfiguration _configuration;

    public LdapService(IConfiguration configuration)
    {
        _configuration = configuration;
    }

    public void Connect()
    {
        string ldapUrl = _configuration.GetValue("Ldap:Url");
        string ldapUsername = _configuration.GetValue("Ldap:Username");
        string ldapPassword = _configuration.GetValue("Ldap:Password");

        LdapConnection connection = new LdapConnection(new LdapDirectoryIdentifier(ldapUrl));
        connection.Credential = new NetworkCredential(ldapUsername, ldapPassword);
        connection.Connect();
    }
}
        
        

The above code fixes the vulnerability by removing the hard-coded LDAP service credentials from the code. Instead, it retrieves these credentials from a configuration file during runtime.

The IConfiguration interface is used to access the application's configuration settings. The LdapService constructor takes an IConfiguration object as a parameter, which is provided by the Dependency Injection container in ASP.NET Core.

In the Connect method, the LDAP service credentials are retrieved from the configuration file using the GetValue<string> method of the IConfiguration object. The keys "Ldap:Url", "Ldap:Username", and "Ldap:Password" are used to retrieve the LDAP URL, username, and password, respectively.

The retrieved credentials are then used to establish the LDAP connection.

Please note that the configuration file should be properly secured and access-controlled. The LDAP service credentials should be encrypted before storing them in the configuration file. You can use the Secret Manager tool in development and Azure Key Vault in production to store these credentials securely.

References