Hash: SHA256

                         AUSCERT Security Bulletin

                              NGINX Zero-Day
                               14 April 2022


        AusCERT Security Bulletin Summary

Product:          Nginx Zero-Day
Operating System: UNIX variants (UNIX, Linux, OSX)
Resolution:       Mitigation

Revision History: April 14 2022: Re-formatting
                  April 13 2022: Formatting
                  April 13 2022: Initial Release


        A new zero-day vulnerability in the Nginx web server has been claimed by
        hacktivist group called "Against the West" allowing remote code execution
        on a vulnerable system.[3]
        NGINX confirmed security vulnerabilities in the NGINX LDAP reference implementation only.
        "NGINX Open Source and NGINX Plus are not themselves affected, and no
        corrective action is necessary if you do not use the reference implementation."[1]
        NGINX noted in its advisory that it is published as a reference implementation
        and is not a production-grade LDAP solution.
        "For example, there is no encryption of the username and password used for
        the sample login page, and security notices call this out."[3]
        Currently the hacktivist group informed their findings to NGINX team and
        are looking for reward but they also mentioned that they have been offered significant amounts 
        from other interested groups for the exploit[4].


        NGINX determined that only the reference implementation is affected and
        also there are conditions for the exploit. 
        "When configuration parameters are specified on the command line,
        an attacker can override some or all of them by passing specially crafted
        HTTP request headers."[1]
        These are the conditions for the exploit[1]:
        1. Command-line parameters are used to configure the Python daemon
        2. There are unused, optional configuration parameters
        3. LDAP authentication depends on specific group membership


        NGINX suggested these mitigations:
        Mitigating Condition 1: Command-Line Parameters Are Used to Configure the Python Daemon
        When configuration parameters are specified on the command line,
        an attacker can override some or all of them by passing specially crafted HTTP request headers. 
        To protect against this, ensure that the corresponding configuration parameters
        have an empty value in the location = /auth-proxy block in the NGINX configuration 
        (nginx-ldap-auth.conf in the repo)[1].
        Mitigating Condition 2: Unused, Optional Configuration Parameters
        As in Condition 1, an attacker can pass specially crafted HTTP request
        headers to override certain configuration parameters, depending on the configuration used for 
        the LDAP search template. To protect against this, ensure that any unused,
        optional parameters have an empty value in the location = /auth-proxy block
        in the NGINX configuration[1].
        Mitigating Condition 3: LDAP Group Membership Is Required
        The Python daemon does not sanitize its inputs. To mitigate against this,
        ensure that the backend daemon that presents the login form strips any
        special characters from the username field. 
        In particular, it must remove the opening and closing parenthesis characters - ( ) - and
        the equal sign (=), which all have special meaning for LDAP servers. 
        The backend daemon in the LDAP reference implementation will be updated in this way in due course[1].


        [1] Addressing Security Weaknesses in the NGINX LDAP Reference

        [2] Nginx Zero-Day RCE Vulnerability Alert

        [3] Is there a 0day in NGINX? F5 investigates claims, finds LDAP issues

        [4] NginxDay

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967