At the end of last week on a Twitter page associated with the hacker group BlueHornet, appeared information about vulnerabilities in NGINX LDAP user authentication software. According to the hackers, they have prepared an experimental exploit for NGINX 1.18.
“After testing it (exploit – ed.), we found out that a number of companies and corporations are vulnerable to it,” BlueHornet reported.
As the hackers explained, the exploitation of the vulnerability takes place in two stages. The first stage is LDAP injection (a type of attack on web applications involving the creation of LDAP operators based on user input data).
According to BlueHornet, the group intended to report its discovery to the Nginx security team via the bug bounty platform HackerOne. Later, a GitHub page was created with detailed explanations of the exploitation of the vulnerability.
The group stated that the vulnerability affects the default NGINX configurations and criticized the developers for not responding to its message in any way. If you believe the hackers, they tested their exploit on the systems of the Royal Bank of Canada, however, whether they were hacked is unknown. Later the band also reported about hacking the systems of the Chinese representative office of UBS Securities.
On Monday, April 11, NGINX developers published a statement regarding the vulnerability and noted that it affects only reference implementations, but not NGINX Open Source and NGINX Plus.
As explained in the company, reference implementations are vulnerable in three cases: if command-line parameters were used for the configuration of the daemon; optional configuration parameters are used; LDAP authentication depends on the specific membership in the group. Methods of protection against exploitation of vulnerability have been developed for all three cases.