Zero-day vulnerability in LDAP reference in NGINX

Those responsible for the NGINX web server released a series of security updates to fix a severe zero-day vulnerability in its Lightweight Directory Access Protocol (LDAP). The NGINX LDAP reference implementation uses LDAP to authenticate users of applications that are proxies on the NGINX web server.

The developers specified that NGINX Open Source and NGINX Plus are not affected by the detected issues.

“Security vulnerabilities have been addressed in the NGINX LDAP reference implementation. We have determined that only the reference implementation is affected. NGINX Open Source and NGINX Plus are not affected by themselves, and no corrective action is necessary,” the report adds.

According to the report, the LDAP reference implementation is affected by vulnerabilities when one of the following conditions is presented:

  • Command-line parameters are used to configure the Python daemon
  • There are optional unused configuration parameters
  • LDAP authentication depends on membership in a specific group

Threat actors could override configuration parameters by sending specially crafted HTTP request headers: “The Python daemon does not sanitize your entries. Consequently, an attacker can use a specially crafted request header to evade group membership verification (memberOf) and force LDAP authentication to succeed even if the user being authenticated does not belong to the required groups.”

As mitigation, developers recommend verifying that the back-end daemon that presents the login form removes special characters from the username field. In particular, the opening and closing parentheses – ( ) – and the equal sign (=) should be removed. Users are also encouraged to remove special characters from the username field in the login form and update the appropriate configuration parameters with an empty value (“”).

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.