In a situation where LDAP credentials get leaked but there is still an IP whitelist in place...
My gut feeling says this isn't right; the credentials should be changed. Is this correct? What technical details can help me impress this upon the concerned party?
There usually is a reason to use more than one way to protect services. Combining credentials with access-lists ensures that one of those can fail without having to deal with an immediate emergency.
That doesn't mean you shouldn't act when one of them gets compromised, why would you have bothered with implementing more than one if you don't care about them?
Technical risks you may have to deal with include misconfiguration of access-lists and IP spoofing. That's why you don't rely just on an access-lists.
However, in my opinion the bigger problem is that the operation expects more than one security measure to be implemented. Someone else may notice a misconfigured access lists and think 'no worries, you still need credentials to use the service'.
Bottomline: if you implement more than one security measure, you need to be sure you can rely on every single one of them. Having more than one just reduces the direct impact of one of them being compromised.
Short answer: Ip spoofing can be done, so if the credentials are compromised and you are pretty sure of it, just change it! Ip whitelisting could be not enough.
Bear in mind the possibilities what can be done with that credentials... think about possible group resources accessed where can be any other kind of access or password. Maybe an horizontal privilege escalation can be done, so change as much as possible accounts/users compromised.
credentials should be changed
Definitely! Leaked credentials certainly aren't "of little concern" because there is another protective measure in place - security in depth is here to a large part to gain time so that when one security measure fails, you have the chance to notice it and act before the attacker becomes successful.
Depending on what kind of service the credentials and the IP whitelist protect, it might not be an emergency that must be dealt with immediately, but it should definitely be dealt with.
What technical details can help me impress this upon the concerned party?
I see a few possibilities for attacks:
If the service in question is a REST-like (e.g. stateless) service which has endpoints that update business information, then it's possible to abuse these endpoints - since the update is done with an HTTP POST, PUT or DELETE request (or their stateless equivalent if another protocol is used), the client doesn't actually need to get an answer from the service, so he can spoof the source IP of the packet he sends to gain access to these endpoints. The service's answer will be routed to the spoofed IP, but that's beside the point - the damage will already be done.
The attacker can actually get one of these IP addresses. Maybe the whitelist contains IP subnets, e.g. address ranges, which cover all IPs in your offices. You might also have a wifi with guest access that eventually produces network packets with a source IP in the whitelisted range, or you might have a room accessible to the public which has an active ethernet socket which an attacker can use to get a dhcp-provided IP address in the whitelisted range. Both these (fairly common) cases require that the attacker physically visits you.
As an extension of point 2, if some of the whitelisted addresses are from broadband/dialup ISPs to enable your employees to access the service from home, it might be possible for a customer of the same ISP to force the actual owner of a whitelisted IP offline and do that long enough to get assigned the whitelisted IP himself. I think that's unlikely, though.
Chances are that the IP whitelist is just a simple whitelist and isn't clustered into different sets based on access rules. Basically, the IP whitelist is a way to either grant or deny access. Credentials allow much finer-grained access. If you lose credentials, you're stuck with a yes/no decision. So basically anyone who sits behind a machine with a given whitelisted IP now has potential access to every resource the leaked credentials protected. So if the leaked credentials included the head of human resources's credentials, the new intern who has much lower access priviliges with another set of credentials, but whose machine is also whitelisted, can now access the company's HR data. That can't be good.
