F5 investigating reports of NGINX zero day

UPDATE 4/12: On Monday evening, NGINX released a blog about the issue, writing that it only affects reference implementations and does not affect NGINX Open Source or NGINX Plus.

The company said deployments of the LDAP reference implementation are affected by the vulnerabilities if command-line parameters are used to configure the Python daemon, if there are unused, optional configuration parameters and if LDAP authentication depends on specific group membership.

NGINX provided specific mitigations for all three instances.

Application security giant F5 said it is investigating an alleged zero day vulnerability affecting the NGINX Web Server.

“We are aware of reports of an issue with NGINX Web Server. We have prioritized investigating the matter and will provide more information as quickly as we can,” a spokesperson told The Record on Monday. 

F5 purchased the company behind the popular open-source web server for $670 million in 2019. 

The issue first came to light on Saturday, when a Twitter account connected to a group called “BlueHornet” tweeted about an experimental exploit for NGINX 1.18.

“As we've been testing it, a handful of companies and corporations have fallen under it,” the group said. They did not respond to requests for comment, but another researcher shared a conversation they had with the people behind BlueHornet about the issue. 

The group explained that the exploit has two stages and starts with LDAP injection. LDAP stands for Lightweight Directory Access Protocol and LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input.

BlueHornet said they would share the issue with the Nginx security team through bug bounty firm HackerOne or their internal platform. 

The group later created a GitHub page where they explained in detail how they discovered the issue and how it works. 

“We had been given this exploit from our sister group, BrazenEagle, who had been developing it for some weeks. Or atleast since Spring4Shell came out,” the group said.

“We were initially confused, as LDAP doesn't interact much with NGINX, however, there is an ldap-auth daemon used alongside NGINX, which allows for this to be used. It primarily is used to gain access to private Github, Bitbucket, Jekins & Gitlab instances. As some further analysis is ongoing, the module relating to the LDAP-auth daemon within nginx is affected greatly. ;) Anything that involves LDAP optional logins works as well. This includes Atlassian accounts.”

They claimed that default NGINX configurations seemed to be vulnerable and they recommended users disable certain features to stay protected. 

The group also criticized NGINX for not responding to their messages. 

On Sunday, the group claimed it tested the zero day on the Royal Bank of Canada but did not explain whether the bank had actually been breached. It later said it breached the systems of the Chinese branch of UBS Securities.

Neither institution responded to requests for comment.

Bud Broomhead, CEO at Viakoo, said LDAP has been around over 25 years and has historically been attractive for threat actors to exploit through LDAP injection, spoofing, and other mechanisms.

"Because LDAP extends to IoT devices (of which there are 5x to 20x more of than IT devices), organizations running LDAP need to encrypt traffic using TLS certificates on IoT devices, have automated mechanisms to update IoT device firmware, and ensure the IoT device passwords are updated regularly and follow corporate policies," Broomhead said.

Netenrich's John Bambenek added that he has not seen evidence of exploitation said that may change quickly.

"Open source projects we come to rely on can rapidly become windows for attackers as it is no more secure than closed source software," he said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.