CVE-2017-17718

Vulnerability

The Net::LDAP (net-ldap) gem for Ruby, versions prior to 0.16.0, does not verify that the LDAP server's certificate matches the hostname (Common Name or Subject Alternative Name) when using LDAPS or StartTLS. The library uses OpenSSL but omits the verify_certificate_identity call, meaning only the certificate chain is validated (if configured) but not the server identity. This affects all releases before 0.16.0 [2][4].

Exploitation

An attacker with network access (e.g., man-in-the-middle position) can intercept LDAP connections. No prior authentication or user interaction is required. The attacker presents a valid certificate signed by a trusted Certificate Authority but issued for a different hostname; the client accepts it without verifying the hostname match. The attacker can then decrypt, read, and modify LDAP traffic [2][4].

Impact

Successful exploitation allows an attacker to obtain full disclosure of LDAP communications, including credentials and directory data, and to inject or alter LDAP operations. This compromises confidentiality and integrity of LDAP sessions, potentially leading to unauthorized access to directory services [2][4].

Mitigation

Upgrade to net-ldap version 0.16.0 or later, which includes proper hostname verification against the server certificate. No workaround is documented for earlier versions. The fix was released in December 2017 [4]. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog.