You can now find Cyber Kendra on Google News!

Nginx Release Advisory about Nginx 0day Claims

Nginx Zero-Day RCE Vulnerability Alert, what it is?

Nginx RCE 0day

It all started on 9th April, when a Twitter account connected to a group called “BlueHornet” tweeted about an experimental exploit for NGINX 1.18, claiming that they had exploited a 0day or previously unknown security flaw in NGINX — a web server used by a third of the world’s websites. According to the claims, the vulnerability appears, potentially, to be related to how NGINX interacts with LDAP directory services.

“Against the West” said: “The module relating to the LDAP-auth daemon within Nginx is affected greatly. Anything that involves LDAP optional logins works as well. This includes Atlassian accounts. Just working out if we can bypass some common WAFs. Default Nginx configs seem to be the vulnerable type or common configs.

Later on, Nginx released an advisory stating that "NGINX Open Source and NGINX Plus are not themselves affected, and no corrective action is necessary if you do not use the reference implementation."

The NGINX LDAP reference implementation uses LDAP to authenticate users of applications being proxied by NGINX. It is published as a Python daemon and with related configuration and its purpose and configuration are described separately in the blog post. 

Nginx does confirm that LDAP reference implementation is affected by the vulnerabilities but in certain conditions. These are — 

  1. Command-line parameters are used to configure the Python daemon
  2. There are unused, optional configuration parameters
  3. LDAP authentication depends on specific group membership

The LDAP reference implementation is published as a reference implementation and describes the mechanics of how the integration works and all of the components required to verify the integration. It is not a production‑grade LDAP solution. For example, there is no encryption of the username and password used for the sample login page, and security notices call this out.

Mitigation of the Nginx LDAP reference issue.

On the same advisory, the Nginx team has also published the mitigation guide for the Nginx LDAP issue. 

1. Command-Line Parameters Are Used to Configure the Python Daemon

According to the Nginx documentation, the primary way to configure the LDAP reference implementation is with a number of proxy_set_header directives. However, the configuration parameters can also be set on the command line that initializes the Python daemon (nginx-ldap-auth-daemon.py).
So, when configuration parameters are specified on the command line, an attacker can override some or all of them by passing specially crafted HTTP request headers. To protect against this, ensure that the corresponding configuration parameters have an empty value in the location = /auth-proxy block in the NGINX configuration.
location = /auth-proxy {
    ...
    proxy_set_header X-Ldap-URL      ""; # Empty value when using command-line 
                                         # config
    proxy_set_header X-Ldap-BaseDN   ""; # Empty value when using command-line
                                         # config
    proxy_set_header X-Ldap-BindDN   ""; # Empty value when using command-line
                                         # config
    proxy_set_header X-Ldap-BindPass ""; # Empty value when using command-line
                                         # config
    ...
}

2. Unused, Optional Configuration Parameters

As in the first condition to meet the exploitation of the bug, an attacker can pass specially crafted HTTP request headers to override certain configuration parameters, depending on the configuration used for the LDAP search template. To protect against this, ensure that any unused, optional parameters have an empty value in the location = /auth-proxy block in the NGINX configuration.
location = /auth-proxy {
    ...
    proxy_set_header X-Ldap-Template ""; # Optional, but do not comment 
                                         # (use empty value)
    proxy_set_header X-CookieName    ""; # Optional, but do not comment
                                         # (use empty value)
    proxy_set_header X-Ldap-Realm    ""; # Optional, but do not comment
                                         # (use empty value)
    proxy_set_header X-Ldap-Starttls ""; # "True" or empty (do not comment)
    ...
}

LDAP Group Membership Is Required

According to the Nginx, the Python daemon does not sanitize its inputs, which allows an attacker to use a specially crafted request header to bypass the group membership (memberOf) check. This leads LDAP authentication to succeed even if the user being authenticated does not belong to the required groups.

To mitigate against this, ensure that the backend daemon that presents the login form strips any special characters from the username field. In particular, it must remove the opening and closing parenthesis characters – ( ) – and the equal sign (=), which all have special meanings for LDAP servers. The backend daemon in the LDAP reference implementation will be updated in this way in due course.

The hacktivist group claims to have breached the UBS security, China branch, and the People's Bank Of China's main ATM software with its zeroday. They also noted - 
They are working on another exploit for MongoDB and another database management framework and will release the Proof-of-concept in a week's time along with the video. 

Post a Comment