-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
14 April 2022
AusCERT Security Bulletin Summary
Product: Nginx Zero-Day
Operating System: UNIX variants (UNIX, Linux, OSX)
Revision History: April 14 2022: Re-formatting
April 13 2022: Formatting
April 13 2022: Initial Release
A new zero-day vulnerability in the Nginx web server has been claimed by
hacktivist group called "Against the West" allowing remote code execution
on a vulnerable system.
NGINX confirmed security vulnerabilities in the NGINX LDAP reference implementation only.
"NGINX Open Source and NGINX Plus are not themselves affected, and no
corrective action is necessary if you do not use the reference implementation."
NGINX noted in its advisory that it is published as a reference implementation
and is not a production-grade LDAP solution.
"For example, there is no encryption of the username and password used for
the sample login page, and security notices call this out."
Currently the hacktivist group informed their findings to NGINX team and
are looking for reward but they also mentioned that they have been offered significant amounts
from other interested groups for the exploit.
NGINX determined that only the reference implementation is affected and
also there are conditions for the exploit.
"When configuration parameters are specified on the command line,
an attacker can override some or all of them by passing specially crafted
HTTP request headers."
These are the conditions for the exploit:
1. Command-line parameters are used to configure the Python daemon
2. There are unused, optional configuration parameters
3. LDAP authentication depends on specific group membership
NGINX suggested these mitigations:
Mitigating Condition 1: Command-Line Parameters Are Used to Configure the Python Daemon
When configuration parameters are specified on the command line,
an attacker can override some or all of them by passing specially crafted HTTP request headers.
To protect against this, ensure that the corresponding configuration parameters
have an empty value in the location = /auth-proxy block in the NGINX configuration
(nginx-ldap-auth.conf in the repo).
Mitigating Condition 2: Unused, Optional Configuration Parameters
As in Condition 1, an attacker can pass specially crafted HTTP request
headers to override certain configuration parameters, depending on the configuration used for
the LDAP search template. To protect against this, ensure that any unused,
optional parameters have an empty value in the location = /auth-proxy block
in the NGINX configuration.
Mitigating Condition 3: LDAP Group Membership Is Required
The Python daemon does not sanitize its inputs. To mitigate against this,
ensure that the backend daemon that presents the login form strips any
special characters from the username field.
In particular, it must remove the opening and closing parenthesis characters - ( ) - and
the equal sign (=), which all have special meaning for LDAP servers.
The backend daemon in the LDAP reference implementation will be updated in this way in due course.
 Addressing Security Weaknesses in the NGINX LDAP Reference
 Nginx Zero-Day RCE Vulnerability Alert
 Is there a 0day in NGINX? F5 investigates claims, finds LDAP issues
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----