TCP Directory

Port 636 (LDAPS)

Learn about port 636 (LDAPS) - security risks, vulnerabilities, and common uses. Find devices with port 636 open.

Quick Info

Port Number

636

Protocol

TCP

Service

LDAPS

IANA Name

LDAPS

Service Description

Port 636 (TCP) is commonly used for Lightweight Directory Access Protocol Secure (LDAPS). LDAPS provides a secure, encrypted channel for LDAP communication. It is essentially LDAP over SSL/TLS. Historically, LDAP used port 389, but the need for secure directory access led to the development of LDAPS. LDAPS encrypts the entire LDAP session, including authentication credentials and data transfers, protecting sensitive information from eavesdropping and tampering. Technically, when a client initiates an LDAPS connection, it first establishes a TCP connection to port 636. Then, an SSL/TLS handshake is performed to establish a secure channel. Once the secure channel is established, the client and server can exchange LDAP messages over the encrypted connection. The server presents a certificate to the client for verification, ensuring the client is communicating with the intended server. This certificate must be trusted by the client, either through a trusted root CA or by manually adding the certificate to the client's trust store. LDAPS can be configured to require client certificates for mutual authentication, further enhancing security. Without proper configuration and encryption, LDAP traffic is vulnerable to sniffing and man-in-the-middle attacks, exposing sensitive directory information and credentials. LDAPS aims to mitigate these risks by providing a secure and authenticated channel for directory access.

## Firewall Recommendations

Blocking port 636 (TCP) is generally not recommended if LDAPS is being used for secure directory access within your network. If LDAPS is not required, blocking the port can reduce the attack surface. When allowing port 636, it's crucial to implement strict firewall rules that limit access to only authorized clients and servers. Avoid allowing access from untrusted networks or the internet unless absolutely necessary. Regularly review and update firewall rules to ensure they remain appropriate. Implement intrusion detection and prevention systems (IDS/IPS) to monitor for suspicious activity on port 636. Ensure that the LDAP server is configured with strong authentication mechanisms and that certificates are properly managed and rotated. Consider using client certificates for mutual authentication to further enhance security. Regularly patch and update the LDAP server software and underlying operating system to address any known vulnerabilities. Implement network segmentation to isolate the LDAP server from other critical systems, limiting the potential impact of a successful attack.

Security Information

LDAPS, while designed to be secure, is not immune to security risks. One common misconfiguration is using self-signed certificates without proper verification, which can leave the connection vulnerable to man-in-the-middle attacks if an attacker can present their own certificate. Another risk is failing to properly manage and rotate certificates, leading to expired certificates that disrupt service or force administrators to disable certificate validation. Weak SSL/TLS cipher suites can also be exploited by attackers to decrypt the traffic. Furthermore, vulnerabilities in the underlying SSL/TLS libraries or the LDAP server software itself can be exploited. LDAPS may be targeted by attackers seeking to gain unauthorized access to directory information, which often contains sensitive user credentials, group memberships, and other critical configuration data. Successful attacks can lead to account compromise, privilege escalation, and data breaches. Attackers may also target LDAPS to inject malicious data into the directory, which can then be used to compromise other systems that rely on the directory service.

Known Vulnerabilities

CVE	Name	Severity	Description
CVE-2015-0235	Glibc getaddrinfo stack-based buffer overflow (glibc 'ghost')	High	Уязвимость переполнения буфера в getaddrinfo библиотеки glibc, которая может позволить злоумышленнику выполнить произвольный код на сервере LDAPS, если сервер использует getaddrinfo для разрешения имен хостов.
CVE-2014-3566	SSL 3.0 POODLE vulnerability	Medium	Уязвимость в SSL 3.0, позволяющая злоумышленнику перехватить и дешифровать трафик LDAPS, если сервер и клиент поддерживают SSL 3.0.
CVE-2011-3389	TLS CBC IV Weakness Vulnerability	Medium	Уязвимость, позволяющая злоумышленнику перехватить и дешифровать трафик LDAPS, если сервер и клиент используют TLS с CBC шифрами.