The maintainers of the NGINX web server project have issued mitigations to address security weaknesses in its Lightweight Directory Access Protocol (LDAP) Reference Implementation.
“NGINX Open Source and NGINX Plus are not themselves affected, and no corrective action is necessary if you do not use the reference implementation,” Liam Crilly and Timo Stark of F5 Networks said in an advisory published Monday.
NGINX said that the reference implementation, which uses LDAP to authenticate users, is impacted only under three conditions if the deployments involve –
- Command-line parameters to configure the Python-based reference implementation daemon
- Unused, optional configuration parameters, and
- Specific group membership to carry out LDAP authentication
If any of these conditions are met, an attacker might be able to override configuration parameters and send specially crafted HTTP request heads to bypass group membership requirements. This would allow LDAP authentication failure to occur even if the user is falsely authenticated.
The project maintainers recommend that users ensure special characters are removed from the username field during authentication, and to update configuration parameters using an empty value (“”)..
The maintainers stressed that the LDAP-reference implementation mainly “describes how the integration works, and all the components necessary to verify it” and “is not a production grade LDAP solution.” “
The disclosure comes after details of the issue emerged in the public domain over the weekend when a hacktivist group called BlueHornet said it had “gotten our hands on an experimental exploit for NGINX 1.18. “
