The threat and value for the LDAP based configuration mechanisms fall into categories:
Finding (and updating) Network AE descriptions
Finding (and updating) device descriptions
These each pose different vulnerabilities to attack. These are:
The AE-title uniqueness mechanism could be attacked by creating vast numbers of spurious AE-titles. This could be a Denial of Service (DoS) attack on the LDAP server. It has a low probability of interfering with DICOM operations.
The Network AE information could be maliciously updated. This would interfere with DICOM operations by interfering with finding the proper server. It could direct connections to malicious nodes, although the use of TLS authentication for DICOM connections would detect such misdirection. When TLS authentication is in place this becomes a DoS attack.
The device descriptions could be maliciously modified. This would interfere with proper device operation.
There is no apparent value to an attacker in obtaining the current list of AE-titles. This does not indicate where these AE-titles are deployed or on what equipment.
The Network AE information and device descriptions might be of value in determining the location of vulnerable systems. If it is known that a particular model of equipment from a particular vendor is vulnerable to a specific attack, then the Network AE Information can be used to find that equipment.
The security mechanisms for LDAP are highly variable in actual implementations. They are a mixture of administrative restrictions and protocol implementations. The widely available options for security methods are:
Anonymous access, where there is no restriction on performing this function over the network.
Basic, where there is a username and password exchange prior to granting access to this function. The exchange is vulnerable to snooping, spoofing, and man in the middle attacks.
TLS, where there is an SSL/TLS exchange during connection establishment.
Manual, where no network access is permitted and the function must be performed manually at the server, or semi-automatically at the server. The semi-automatic means permit the use of independently exchanged files (e.g. via floppy) together with manual commands at the server.
The categories of functions that may be independently controlled are:
Read related, to read, query, or otherwise obtain a portion of the LDAP directory tree
Update related, to modify previously existing objects in the directory tree
Create, to create new objects in the directory tree.
Finally, these rules may be applied differently to different subtrees within the overall LDAP structure. The specific details of Access Control Lists (ACLs), functional controls, etc. vary somewhat between different LDAP implementations.
The LDAP server should be able to specify different restrictions for the AE-Title list and for the remainder of the configuration information. To facilitate interoperability, Table H.1-15 defines several patterns for access control. They correspond to different assessments of risk for a network environment.
Table H.1-15 LDAP Security Patterns
|Read AE-title||Anonymous, TLS||Anonymous, TLS||Anonymous, Basic||Anonymous, Basic||Anonymous||Anonymous|
TLS This pattern provides SSL/TLS authentication and encryption between client and server. It requires additional setup during installation because the TLS certificate information needs to be installed onto the client machines and server. Once the certificates are installed the clients may then perform full updating operations.
This pattern provides SSL/TLS controls for read access to information and require manual intervention to perform update and creation functions.
Basic This pattern utilizes the LDAP basic security to gain access to the LDAP database. It requires the installation of a password during client setup. It does not provide encryption protection. Once the password is installed, the client can then perform updates.
This pattern utilizes basic security protection for read access to the configuration information and requires manual intervention to perform update and creation functions.
This pattern permits full read/update access to all machines on the network.
This pattern permits full read access to all machines on the network, but requires manual intervention to perform update and creation.
A client or server implementation may be capable of being configured to support multiple patterns. This should be documented in the conformance claim. The specific configuration in use at a specific site can then be determined at installation time.