Timeline -
Apr 9, 2022 - Bluehornet tweets about the exploit for NGINX 1.18.
Apr 10, 2022 - News on a potential breach at UBS Securities, China using the NGINX vulnerability.
Apr 11, 2022 - NGINX posts an article sharing further details on the vulnerability and what it affects.
Introduction to the vulnerability
Nginx is used by a large number of servers as a load balancer. A new vulnerability has been discovered which allows remote code execution through an ldap-auth daemon.
“LDAP doesn’t interact much with Nginx, however, there is a ldap-auth daemon used alongside Nginx, which allows for this to be used. It primarily is used to gain access to private GitHub, Bitbucket, Jenkins & Gitlab instances”, according to AgainstTheWest.
What is NGINX?
Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and publicly released in 2004. Nginx is free and open-source software, released under the terms of the 2-clause BSD license.
Lightweight Directory Access Protocol (LDAP)
LDAP, is a mature, flexible, and well supported standards-based mechanism for interacting with directory servers. It’s often used for authentication and storing information about users, groups, and applications, but an LDAP directory server is a fairly general-purpose data store and can be used in a wide variety of applications.
NGINX LDAP reference implementation
The NGINX LDAP reference implementation uses LDAP to authenticate users of applications proxied by NGINX.
The solution leverages the ngx_http_auth_request_module (Auth Request) module in NGINX and NGINX Plus, which forwards authentication requests to an external service. This external service is a daemon called ldap‑auth. It communicates with an authentication server.
What can be exploited?
NGNIX version 1.18 is affected by this remote code execution vulnerability.
“NGINX Open Source and NGINX Plus are not themselves affected, and no corrective action is necessary if you do not use the reference implementation”, according to a blog published by NGINX.
Circumstances for this vulnerability to be exploited
Here are the circumstances under which this vulnerability can be exploited:
- Command-line parameters are used to configure the Python daemon.
- There are unused, optional configuration parameters.
- LDAP authentication depends on specific group membership.
Mitigation
Researchers recommend “Disabling the ldapDaemon.enabled property. If you plan to set it up, be sure to change the ldapDaemon.ldapConfig properties flag with the correct information and don’t leave it on default.”
You can also refer to an article released by NGINX addressing the security weaknesses in the NGINX LDAP reference implementations.