
It all started on 9th April, when a Twitter account connected to a group called “BlueHornet” tweeted about an experimental exploit for NGINX 1.18, claiming that they had exploited a 0day or previously unknown security flaw in NGINX — a web server used by a third of the world’s websites. According to the claims, the vulnerability appears, potentially, to be related to how NGINX interacts with LDAP directory services.
“Against the West” said: “The module relating to the LDAP-auth daemon within Nginx is affected greatly. Anything that involves LDAP optional logins works as well. This includes Atlassian accounts. Just working out if we can bypass some common WAFs. Default Nginx configs seem to be the vulnerable type or common configs.
Later on, Nginx released an advisory stating that "NGINX Open Source and NGINX Plus are not themselves affected, and no corrective action is necessary if you do not use the reference implementation."
The NGINX LDAP reference implementation uses LDAP to authenticate users of applications being proxied by NGINX. It is published as a Python daemon and with related configuration and its purpose and configuration are described separately in the blog post.
Nginx does confirm that LDAP reference implementation is affected by the vulnerabilities but in certain conditions. These are —
- Command-line parameters are used to configure the Python daemon
- There are unused, optional configuration parameters
- LDAP authentication depends on specific group membership
The LDAP reference implementation is published as a reference implementation and describes the mechanics of how the integration works and all of the components required to verify the integration. It is not a production‑grade LDAP solution. For example, there is no encryption of the username and password used for the sample login page, and security notices call this out.
Mitigation of the Nginx LDAP reference issue.
1. Command-Line Parameters Are Used to Configure the Python Daemon
location = /auth-proxy { ... proxy_set_header X-Ldap-URL ""; # Empty value when using command-line # config proxy_set_header X-Ldap-BaseDN ""; # Empty value when using command-line # config proxy_set_header X-Ldap-BindDN ""; # Empty value when using command-line # config proxy_set_header X-Ldap-BindPass ""; # Empty value when using command-line # config ... }
2. Unused, Optional Configuration Parameters
location = /auth-proxy { ... proxy_set_header X-Ldap-Template ""; # Optional, but do not comment # (use empty value) proxy_set_header X-CookieName ""; # Optional, but do not comment # (use empty value) proxy_set_header X-Ldap-Realm ""; # Optional, but do not comment # (use empty value) proxy_set_header X-Ldap-Starttls ""; # "True" or empty (do not comment) ... }