A new zero-day
nginx Zero-Day RCE flaw affects nginx 18.1. According to the AgainstTheWest Github repo, this bug relates to the LDAP-auth daemon within nginx.
As some further analysis is ongoing, the module relating to the LDAP-auth daemon within nginx is affected greatly. 😉 Anything that involves LDAP optional logins works as well. This includes Atlassian accounts. Just working out if we can bypass some common WAFs. Default nginx configs seem to be the vulnerable type, or common configs.
We highly recommend disabling the
ldapDaemon.enabledproperty. If you plan on setting it up, be sure to change the
ldapDaemon.ldapConfigproperties flag with the correct information and don’t leave it on default. This can be changed until Nginx (fucking) respond to their emails and DMs.
Been talking to some infosec people about this, some mixed responses. Some are saying it’s a problem with LDAP itself and not Nginx, while
ldapDaemonisn’t always used. The exact quote is “CI/CD pipeline hardens the instance, one of the steps is to completely strip out the LDAP module.”. This is partially correct. In fact, it is an option when compiling nginx. However, it could be a problem with LDAP itself.
The issue with this, is that it only works with nginx instance using LDAP, such as any login portal that supplies that authentication method.
Further analysis and testing is required. Looks to only be affecting this version. If it affects updated versions of the LDAP protocol, then we’ll see what comes of that.
Hackers have exploited this flaw in the wild. As this vulnerability does not currently have a patch, it is strongly advised that admins using the nginx web server deploy these mitigations as soon as possible.