A new zero-day vulnerability has been discovered in the Nginx LDAP-auth daemon implementation, which allows remote code execution on a vulnerable system.
Nginx is an open-source HTTP and reverses proxy server, a mail proxy server, and a generic TCP/UDP proxy server. Large numbers of servers use Nginx as a load balancer.
The vulnerability is known to be exploited in the wild. As per the researchers, “LDAP doesn’t interact much with Nginx, however, there is a lda-auth daemon used alongside Nginx, which allows for this to be used. It primarily is used to gain access to private GitHub, Bitbucket, Jenkins & Gitlab instances.” The default configuration of Nginx is reported to be vulnerable.
Affected versions
Nginx version 1.18 is affected by this remote code execution vulnerability.
Mitigation
There is no patch available as of now to address the vulnerability. Researchers addressed the vulnerability stating “We highly recommend disabling the ldapDaemon.enabled property. If you plan to set it up, be sure to change the ldapDaemon.ldapConfig properties flag with the correct information and don’t leave it on default.”
For more information, customers can refer to the Security Alert.
Qualys Detection
Qualys customers can scan their devices with QID 730432 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://github.com/AgainstTheWest/NginxDay
https://securityonline.info/nginx-zero-day-rce-vulnerability-alert/
https://twitter.com/Gi7w0rm/status/1512767468267352069