Web server

The NGINX Web Server Project fixed a zero-day flaw in LDAP

A zero-day vulnerability in the LDAP reference implementation of NGINX has been patched by the maintainers of the NGINX Web Server Project. The security update was released in response to this vulnerability.

Application users who are proxied by the NGINX web server, the NGINX LDAP reference implementation uses the Lightweight Directory Access Protocol (LDAP) to authenticate.

In a review, Liam Crilly and Timo Stark of F5 Networks said:-

“Project leaders have addressed security vulnerabilities in the NGINX LDAP Reference implementation that have been publicly shared. We have determined that only the reference implementation is affected.

“There is no need to change anything if you are not using the reference implementation, and no further corrective action is necessary if you are using NGINX Open Source or NGINX Plus as they are unaffected. “

Mitigating conditions

Based on its response, NGINX indicates that only three conditions impact the reference implementation, which uses LDAP for authentication. And here they are:-

  • Command line parameters are used to configure the Python daemon

As detailed in the sample configuration, as well as in the documentation, the primary method of configuring the LDAP reference implementation is to use a number of proxy_set_header directives.

It is also possible to set configuration parameters via the nginx-ldap-auth-daemon.py command line to initialize the Python daemon.

You can prevent this by adding the following configuration to the location=/auth-proxy block in the NGINX configuration (nginx-ldap-auth.conf in the repository) to ensure that all foreign request headers are ignored when authentication.

  • Unused optional configuration parameters

It is possible for an attacker to override certain configuration settings in a configuration by passing specially crafted HTTP request headers if those settings are not set in the configuration.

In order to defend yourself, it will suffice to add the following configuration to the location=/auth-proxy block in the NGINX configuration file.

  • LDAP group membership is required

Since the Python daemon does not sanitize its entries, that is why they become vulnerable to circumvention by an attacker with a specially crafted request header by which they evade checking for group membership (memberOf).

Additionally, LDAP authentication can also be forced to succeed regardless of whether the user to be authenticated is not a member of the required group.

If you want to mitigate this problem, make sure the backend daemon that displays the login form strips the username field of all special characters.

Here users need to change the two characters, and here they are:-

  • Characters in brackets – ( ) –
  • The equal sign (=)

Other than that, these two characters have separate meanings for LDAP servers. Additionally, it is expected that the LDAP daemon in the LDAP reference implementation will be updated in this manner in the near future.

The implementers of LDAP have made it clear that the reference implementation of LDAP is primarily about protocols.

You can follow us on Linkedin, Twitter, Facebook for daily updates on cybersecurity and hacking.