CIRT.GY | NGINX Zero-day Bug Affecting LDAP Implementation

NGINX Zero-day Bug Affecting LDAP Implementation (12th April 2022)

Ref# AL2022_23 | Date: Apr 12th 2022

Description

The public disclosure of a new zero-day vulnerability in the Nginx web server affecting the LDAP-auth reference implementation, which allows remote code execution on a susceptible system, has been made. The new flaw affects NGINX 18.1.

Summary

Although LDAP does not interact much with NGINX, a ldap-auth daemon is used alongside NGINX, allowing this to be used. It”s mostly used to get into private Github, Bitbucket, Jekins, and Gitlab instances. The module linked to the LDAP-auth daemon within nginx is severely impacted till more investigation is carried out. Anything that uses LDAP optional logins works as well. This applies to Atlassian accounts as well.

How it works

NGINX has confirmed that the reference implementation, which uses LDAP to authenticate users, is impacted only under three conditions if the deployments involve –

Command-line parameters to configure the Python-based reference implementation daemon
Unused, optional configuration parameters, and
Specific group membership to carry out LDAP authentication

If any of these conditions are met an attacker could potentially override configuration parameters by sending specially crafted HTTP request headers and even bypass group membership requirements to force LDAP authentication to succeed even if the falsely authenticated user does not belong to the group.

Remediation

Users should verify that special characters are stripped from the username field in the login form provided during authentication, and change necessary configuration parameters with an empty value, according to the project maintainers (“”).

The maintainers also noted that the LDAP reference implementation is not a production-grade LDAP solution, but rather shows the mechanics of how the connection works and all the components required to validate the integration.

The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.

PDF Download: NGINX Zero-day Bug.pdf

References

Greig, Jonathan. (11th April 2022). F5 investigating reports of NGINX zero day. Retrieved from The Record: https://therecord.media/f5-investigating-reports-of-nginx-zero-day/
Lakshmanan, Ravie. (12th April 2022). NGINX Shares Mitigations for Zero-Day Bug Affecting LDAP Implementation. Retrieved from The Hacker News: https://thehackernews.com/2022/04/nginx-shares-mitigations-for-zero-day.html