VTA-00412 – NGINX Shares Mitigations for Zero-Day Bug Affecting LDAP Implementation
Recently, NGINX has issued mitigations to address security weaknesses in its Lightweight Directory Access Protocol (LDAP) Reference Implementation. The reference implementation which uses LDAP to authenticate users, is impacted only under three conditions if the deployments involve command-line parameters to configure the Python-based reference implementation daemon, unused, optional configuration parameters, and specific group membership to carry out LDAP authentication.
Once any of the mentioned conditions is met, an attacker could potentially override the configuration parameters by sending specially crafted HTTP request headers and even bypass group membership requirements to force LDAP authentication to succeed even when the falsely authenticated user does not belong to the group. NGINX Open Source and NGINX Plus are not affected, and no corrective action is necessary if you do not use the reference implementation.
Severity:
High
Attack Surfaces:
Endpoint
Tactics:
Execution, Initial Access, Privilege Escalation
Techniques:
Authentication bypass
Active Defense Tactics:
Detect, Disrupt
Active Defense Techniques:
Security Controls, Software Manipulation
SuperPRO’s Threat Countermeasures Procedures:
1. Adding the following configuration to the location = /auth-proxy block in the NGINX configuration to ensure that any extraneous request headers is ignored during authentication.
2. It is recommended to remove the opening and closing parenthesis characters – ( ) – and the equal sign (=), to ensure that the backend daemon that presents the login form strips any special characters from the username field.
3. Organizations running LDAP need to encrypt traffic using TLS certificates on IoT devices, and apply proper password management.
Contributed by: Jyao
Leave a Reply