Timeline -
Apr 9, 2022 - Bluehornet tweets about the exploit for NGINX 1.18.
Apr 10, 2022 - News on a potential breach at UBS Securities, China using the NGINX vulnerability.
Apr 11, 2022 - NGINX posts an article sharing further details on the vulnerability and what it affects.
Nginx is used by a large number of servers as a load balancer. A new vulnerability has been discovered which allows remote code execution through an ldap-auth daemon.
“LDAP doesn’t interact much with Nginx, however, there is a ldap-auth daemon used alongside Nginx, which allows for this to be used. It primarily is used to gain access to private GitHub, Bitbucket, Jenkins & Gitlab instances”, according to AgainstTheWest.
Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and publicly released in 2004. Nginx is free and open-source software, released under the terms of the 2-clause BSD license.
LDAP, is a mature, flexible, and well supported standards-based mechanism for interacting with directory servers. It’s often used for authentication and storing information about users, groups, and applications, but an LDAP directory server is a fairly general-purpose data store and can be used in a wide variety of applications.
The NGINX LDAP reference implementation uses LDAP to authenticate users of applications proxied by NGINX.
The solution leverages the ngx_http_auth_request_module (Auth Request) module in NGINX and NGINX Plus, which forwards authentication requests to an external service. This external service is a daemon called ldap‑auth. It communicates with an authentication server.
NGNIX version 1.18 is affected by this remote code execution vulnerability.
“NGINX Open Source and NGINX Plus are not themselves affected, and no corrective action is necessary if you do not use the reference implementation”, according to a blog published by NGINX.
Here are the circumstances under which this vulnerability can be exploited:
Researchers recommend “Disabling the ldapDaemon.enabled property. If you plan to set it up, be sure to change the ldapDaemon.ldapConfig properties flag with the correct information and don’t leave it on default.”
You can also refer to an article released by NGINX addressing the security weaknesses in the NGINX LDAP reference implementations.