-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2022.0086.3
                              NGINX Zero-Day
                               14 April 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Nginx Zero-Day
Operating System: UNIX variants (UNIX, Linux, OSX)
                  Windows
Resolution:       Mitigation

Revision History: April 14 2022: Re-formatting
                  April 13 2022: Formatting
                  April 13 2022: Initial Release

OVERVIEW

        A new zero-day vulnerability in the Nginx web server has been claimed by
        hacktivist group called "Against the West" allowing remote code execution
        on a vulnerable system.[3]
                        
        NGINX confirmed security vulnerabilities in the NGINX LDAP reference implementation only.
                
        "NGINX Open Source and NGINX Plus are not themselves affected, and no
        corrective action is necessary if you do not use the reference implementation."[1]
                
                
        NGINX noted in its advisory that it is published as a reference implementation
        and is not a production-grade LDAP solution.
                
        "For example, there is no encryption of the username and password used for
        the sample login page, and security notices call this out."[3]
                
          
        Currently the hacktivist group informed their findings to NGINX team and
        are looking for reward but they also mentioned that they have been offered significant amounts 
        
        from other interested groups for the exploit[4].


IMPACT

        NGINX determined that only the reference implementation is affected and
        also there are conditions for the exploit. 
                
        "When configuration parameters are specified on the command line,
        an attacker can override some or all of them by passing specially crafted
        HTTP request headers."[1]
        
                
        These are the conditions for the exploit[1]:
                
        1. Command-line parameters are used to configure the Python daemon
        2. There are unused, optional configuration parameters
        3. LDAP authentication depends on specific group membership


MITIGATION

        NGINX suggested these mitigations:
        
        Mitigating Condition 1: Command-Line Parameters Are Used to Configure the Python Daemon
        
        When configuration parameters are specified on the command line,
        an attacker can override some or all of them by passing specially crafted HTTP request headers. 
        To protect against this, ensure that the corresponding configuration parameters
        have an empty value in the location = /auth-proxy block in the NGINX configuration 
        (nginx-ldap-auth.conf in the repo)[1].
        
        Mitigating Condition 2: Unused, Optional Configuration Parameters
        
        As in Condition 1, an attacker can pass specially crafted HTTP request
        headers to override certain configuration parameters, depending on the configuration used for 
        the LDAP search template. To protect against this, ensure that any unused,
        optional parameters have an empty value in the location = /auth-proxy block
        in the NGINX configuration[1].
        
        Mitigating Condition 3: LDAP Group Membership Is Required
        
        The Python daemon does not sanitize its inputs. To mitigate against this,
        ensure that the backend daemon that presents the login form strips any
        special characters from the username field. 
        In particular, it must remove the opening and closing parenthesis characters - ( ) - and
        the equal sign (=), which all have special meaning for LDAP servers. 
        The backend daemon in the LDAP reference implementation will be updated in this way in due course[1].


REFERENCES

        [1] Addressing Security Weaknesses in the NGINX LDAP Reference
            Implementation
            https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/

        [2] Nginx Zero-Day RCE Vulnerability Alert
            https://securityonline.info/nginx-zero-day-rce-vulnerability-alert/

        [3] Is there a 0day in NGINX? F5 investigates claims, finds LDAP issues
            https://thestack.technology/nginx0-day-claims/

        [4] NginxDay
            https://github.com/AgainstTheWest/NginxDay

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYldMtONLKJtyKPYoAQh5/Q//aOBO5bfpEUidaXJwIcdSumm9thOoUPDf
V56Am+WBZgZGPUrU+g0YLunGV4f8vvQrujfKF6M6XdrTqcRmm5ikdMeuWcpuDL0v
ZT292akonXlDMYjzpPPEW/n5iJXa4Cdtak1KEUM1VNEZc0Zd8R6jMRN07eIGXruo
p0ihV062JUTP4+1Z3t6pdkeWIv8IvDzyINXsoP2JMmLtntrTaHeY7cf4dzFKwOEA
/3lNZSTCQM+zBAjUQtcpZ9e83nMy6ShU4TGZ3hva2UyNH7H+NGJbAe7pRtBe0YqX
EPgNZN1Auh+5HR2jVTwYbFucXNVhvXsD89Crs96yC9w2iAOE8rnLidW7C1Db2U+X
UmltsDgPcwnaS9uBAKqVqHoWJM2o4RuDIdeekJJ60bIUl+XVYg6zBw3HKAFdrFZy
s8hqayogc+112+AhCvo9buErzCVfjpN+9w5BzSXM7oct8xZPk9aDOdA/RkGkuZ6Z
gi44/i+nNBZ3a3aOd2/rS0P4wZkk6i7mBOhshUhezpYdyc56qwyyoNwxefQ+YMye
LGAin8mi1vCEgyJ5dKLxLrv0XTUFo8JMc0gKJGhpPgxCmHmQbDpRVrOJgRUNnjQQ
670MgXDwWmwG8fUg9ju/xn76x9VGNEFs3/X9qdvpvyHPvlnzDsB7/U9ovwwdb9RH
LkBoQL2B5zM=
=POtm
-----END PGP SIGNATURE-----