A new vulnerability in the NGNIX web server was publicly disclosed on Twitter a few days ago. On the other hand, NGINX responded on April 11 with an article claiming that after investigating the problem, it had discovered that it only affected reference implementations. In particular, the NGINX LDAP reference implementation, which employs LDAP to authenticate users of NGINX-proxied applications.
NGINX is a free and open-source HTTP and reverses proxy server, mail proxy, and TCP/UDP proxy server. NGINX was initially designed to serve static files, but it has since evolved into a full-featured web server capable of handling a wide range of server tasks. NGINX has surpassed Apache in popularity because of its small footprint and ability to scale quickly on low-cost hardware. NGINX, according to experts, can handle thousands of static content connections at once and is 2.5 times faster than Apache.
LDAP (lightweight directory access protocol) is a protocol that allows applications to query user information quickly. Companies keep usernames, passwords, email addresses, printer connections, and other static data in directories. LDAP is an open, vendor-neutral application protocol for accessing and maintaining that data. LDAP also handles authentication, allowing users to log in once and access multiple files on the server.
ABOUT THE VULNERABILITY
Several proxy set header directives are used to configure the LDAP reference implementation. The configuration parameters can also be set on the command line when the Python program is started. Unsanitized input can change or set LDAP configuration parameters, which exposes the vulnerabilities.
The NGINX blog outlines the conditions that must be met for the vulnerabilities to be exploited:
• The Python daemon is configured using command-line parameters.
• some configuration parameters aren’t used.
• LDAP authentication is conditional on membership in a specific group.
The exploit has two stages, according to the group, and begins with LDAP injection. LDAP stands for Lightweight Directory Access Protocol, and LDAP Injection is a web-based application attack that uses user input to construct LDAP statements.
In can cause remote code execution on a vulnerable system. Hence attacker has can power to capture all your data from your server and cause a full data breach.
ARE YOU AFFECTED?
If you are using NGNIX as your webserver, then you may think that this vulnerability can destroy your organization, but you may be safe from this vulnerability because not all NGNIX versions are affected. To check for this vulnerability or any other vulnerability, you may check out ThreatScan, which provides AI-based Security Testing with a 0% false positivity rate.
NGINX offers mitigation suggestions for each of these issues:
An attacker can override some or all of the configuration parameters specified on the command line by passing specially crafted HTTP request headers. To prevent this, make sure the corresponding configuration parameters in the location = /auth-proxy block of the NGINX configuration have an empty value.
In the NGINX configuration, ensure that any unused, optional parameters have an empty value in the location = /auth-proxy block.
Suppose The Python code doesn’t sanitize the data it receives. As a result, an attacker can use a specially crafted request header to bypass the group membership check and force LDAP authentication to succeed even if the user is not a member of the required groups. To avoid this, make sure that any special characters in the username field are removed from the backend code that displays the login form. It must also remove the opening and closing parenthesis characters () and the equal sign =, all of which have special meaning for LDAP servers.
According to NGINX, the backend code in the LDAP reference implementation will be updated soon to sanitize this type of input.
Organizations using LDAP must encrypt traffic using TLS certificates on IoT devices, keep the firmware up to date, and use proper password management because LDAP extends to IoT devices. There are many more than IT devices.
Before passing any input to the server, make sure it’s sanitized.