NGINX Shares Mitigations for Zero-Day Bug Affecting LDAP Implementation

NGINX Shares Mitigations for Zero-Day Bug Affecting LDAP Implementation

VTA-00412 – NGINX Shares Mitigations for Zero-Day Bug Affecting LDAP Implementation

Recently, NGINX has issued mitigations to address security weaknesses in its Lightweight Directory Access Protocol (LDAP) Reference Implementation. The reference implementation which uses LDAP to authenticate users, is impacted only under three conditions if the deployments involve command-line parameters to configure the Python-based reference implementation daemon, unused, optional configuration parameters, and specific group membership to carry out LDAP authentication.

Once any of the mentioned conditions is met, an attacker could potentially override the configuration parameters by sending specially crafted HTTP request headers and even bypass group membership requirements to force LDAP authentication to succeed even when the falsely authenticated user does not belong to the group. NGINX Open Source and NGINX Plus are not affected, and no corrective action is necessary if you do not use the reference implementation.


Attack Surfaces:

Execution, Initial Access, Privilege Escalation

Authentication bypass

Active Defense Tactics:
Detect, Disrupt

Active Defense Techniques:
Security Controls, Software Manipulation

SuperPRO’s Threat Countermeasures Procedures: 
1. Adding the following configuration to the location = /auth-proxy block in the NGINX configuration to ensure that any extraneous request headers is ignored during authentication.
2. It is recommended to remove the opening and closing parenthesis characters – ( ) – and the equal sign (=), to ensure that the backend daemon that presents the login form strips any special characters from the username field.
3. Organizations running LDAP need to encrypt traffic using TLS certificates on IoT devices, and apply proper password management.

Contributed by:  Jyao

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>