The NGINX team shares mitigations for the zero-day bug that affects LDAP implementation

A number of mitigations have been issued to address security flaws in NGINX’s Lightweight Directory Access Protocol (LDAP) Reference Implementation.

According to an advisory published Monday, “both NGINX Open Source and NGINX Plus are not affected by this bug, so no actions are necessary if you are not using the reference implementation,” Liam Crilly and Timo Stark of F5 Networks said in the advisory.

NGINX said that the reference implementation, which uses LDAP to authenticate users, is impacted only under three conditions if the deployments involve –

  • Command-line parameters to configure the Python-based reference implementation daemon
  • Unused, optional configuration parameters, and
  • Specific group membership to carry out LDAP authentication

Should any of the aforementioned conditions be met, an attacker could potentially override the configuration parameters by sending specially crafted HTTP request headers and even bypass group membership requirements to force LDAP authentication to succeed even when the falsely authenticated user does’t belong to the group.

As countermeasures, the project maintainers have recommended users to ensure that special characters are stripped from the username field in the login form presented during authentication and update appropriate configuration parameters with an empty value (“”).

The maintainers also stressed that the LDAP reference implementation mainly “describes the mechanics of how the integration works and all of the components required to verify the integration” and that “it is not a production‑grade LDAP solution.”

The disclosure comes after details of the issue emerged in the public domain over the weekend when a hacktivist group called BlueHornet said it had “gotten our hands on an experimental exploit for NGINX 1.18.”

Add a Comment

Your email address will not be published. Required fields are marked *