For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

THi's avatar
THi
Icon for Nimbostratus rankNimbostratus
Nov 26, 2019

APM AD auth and LDAP request signing

Microsoft intends to require LDAP singing by default in their upcoming January 2020 server security updates. See https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-si...
BIG-IP Access Policy Manager (APM)
security
Bm99's avatar
Bm99
Icon for Nimbostratus rankNimbostratus
Jan 17, 2020

F5 appear to have issued an article on the 8th Jan that appears to state there is no issue. https://support.f5.com/csp/article/K30054212

 

I really would have expected more detailed information regards to the APM AD and the mechanisms it supports for compliance purposes. Questions are now being asked if data is being passed in the clear. If I can't get more info I am going to have to switch to LDAPS. This was the original recommendation from support at the tail end of 2019 which is worst case. We still have our DC's configured to provide more detailed logs and see the event 2889 as a result of the F5 making an unsigned LDAP bind. Hopefully we will get more information soon, I will also keep chasing my SE for an more definitive answer.

  • THi's avatar
    THi
    Icon for Nimbostratus rankNimbostratus
    Jan 17, 2020

    In November we did some tcpdumps when APM did the AD Auth (14.1.x sw). Using wireshark on the dumps we saw that there were no signing of the LDAP SASL binding requests. ALso the AD event log indicated the same. The K30054212 recommendation "No changes are required for LDAPS or Active Directory AAA servers" may need some more clarification?