On Monday, April 11, 2022, NGINX published a security blog post detailing three vulnerabilities in the NGINX LDAP reference implementation. NGINX is web server software that also performs reverse proxy, load balancing, email proxy, and HTTP cache services. No CVE has been assigned to these vulnerabilities at this time. The reference implementation uses Lightweight Directory Access Protocol (LDAP) to authenticate users of NGINX proxied applications. The LDAP reference implementation was not designed to be used in production environments. It was published as a reference implementation, which describes how the integration works, as well as the required components needed. Using the LDAP reference implementation in production poses a significant security risk.
NOTE: NGINX Open Source and NGINX Plus are not affected, unless the LDAP reference implementation is used with other specific conditions.
The highest severity potential attack scenario involving one of these vulnerabilities is an LDAP injection exploit that allows a threat actor to bypass authentication and access restricted resources that are proxied through an NGINX server.
On April 9, 2022, BlueHornet – anonymous hacktivists group – stated the group had an experimental proof-of-concept (PoC) exploit for NGINX. Based on details provided by BlueHornet, the PoC exploit could be leveraging the three vulnerabilities in the LDAP reference implementation. There is little information on the efficacy of the exploit at the moment. BlueHornet has also claimed that they have successfully tested this exploit against NGINX deployments for a select number of organizations. These claims have also not been validated at this time.
NGINX LDAP Reference Implementation Recommendations
Recommendation #1: Determine if you have a Vulnerable NGINX Deployment
NGINX Open Source and NGINX Plus are not inherently vulnerable. The vulnerabilities are present in the NGINX LDAP reference implementation that may be used to authenticate users of NGINX proxied applications. To be vulnerable you must meet the following conditions:
- You need to be using NGINX
- Need to be using the ngx_http_auth_request module (This module is not built by default)
- Enabled with the –with-http_auth_request_module configuration parameter
- LDAP server installed and configured
- The Python LDAP module, python-ldap installed
- Need to use NGINX’s reference implementation of nginx-ldap-auth to proxy authentication through LDAP
- Note: This runs on port 8888
Specifically, LDAP reference implementation deployments are vulnerable if any of the following conditions apply:
- Command-line parameters are used to configure the Python daemon: When configuration parameters are specified on the command line, a threat actor can override some or all of the parameters by passing specially crafted HTTP request headers.
- There are unused, optional configuration parameters: If certain configuration parameters are not set a threat actor could override them by passing specially crafted HTTP request headers.
- LDAP authentication depends on specific group membership: Due to the Python daemon not sanitizing inputs, a threat actor could bypass the group membership check and force LDAP authentication to succeed even if the user does not belong to the specific group.
Recommendation #2: Create a Plan to Replace the NGINX LDAP Reference Implementation
Use the LDAP reference implementation as a model for your own LDAP authentication system, not as the sole implementation for authentication to protected resources or applications.
According to NGINX, “The LDAP reference implementation is published as a reference implementation and describes the mechanics of how the integration works and all of the components required to verify the integration. It is not a production‑grade LDAP solution. For example, there is no encryption of the username and password used for the sample login page, and security notices call this out.”
References
- NGINX Security Blog Addressing Vulnerabilities: https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/
- NGINX Documentation on LDAP Reference Implementation: https://www.nginx.com/blog/nginx-plus-authenticate-users/
