• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
nginx shares mitigations for zero day bug affecting ldap implementation

NGINX Shares Mitigations for Zero-Day Bug Affecting LDAP Implementation

You are here: Home / General Cyber Security News / NGINX Shares Mitigations for Zero-Day Bug Affecting LDAP Implementation
April 12, 2022

The maintainers of the NGINX web server job have issued mitigations to handle security weaknesses in its Lightweight Directory Obtain Protocol (LDAP) Reference Implementation.

“NGINX Open Supply and NGINX Moreover are not them selves afflicted, and no corrective action is essential if you do not use the reference implementation,” Liam Crilly and Timo Stark of F5 Networks stated in an advisory posted Monday.

CyberSecurity

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


NGINX explained that the reference implementation, which utilizes LDAP to authenticate customers, is impacted only below three problems if the deployments require –

  • Command-line parameters to configure the Python-primarily based reference implementation daemon
  • Unused, optional configuration parameters, and
  • Particular team membership to carry out LDAP authentication

Ought to any of the aforementioned ailments be satisfied, an attacker could likely override the configuration parameters by sending specially crafted HTTP request headers and even bypass group membership demands to force LDAP authentication to thrive even when the falsely authenticated consumer does’t belong to the group.

As countermeasures, the project maintainers have encouraged people to ensure that special figures are stripped from the username subject in the login type presented in the course of authentication and update acceptable configuration parameters with an empty value (“”).

CyberSecurity

The maintainers also pressured that the LDAP reference implementation mainly “describes the mechanics of how the integration is effective and all of the elements demanded to validate the integration” and that “it is not a production‑grade LDAP answer.”

The disclosure will come right after details of the issue emerged in the community domain more than the weekend when a hacktivist group identified as BlueHornet reported it had “gotten our hands on an experimental exploit for NGINX 1.18.”

Observed this article attention-grabbing? Comply with THN on Facebook, Twitter  and LinkedIn to examine more special articles we put up.


Some areas of this post are sourced from:
thehackernews.com

Previous Post: «finding attack paths in cloud environments Finding Attack Paths in Cloud Environments
Next Post: US Government Has Three Weeks to Patch Cyclops Blink Bug Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • WhatsApp Unveils Proxy Support to Tackle Internet Censorship
  • Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub
  • Blind Eagle Hacking Group Targets South America With New Tools
  • US Family Planning Non-Profit MFHS Confirms Ransomware Attack
  • Microsoft Reveals Tactics Used by 4 Ransomware Families Targeting macOS
  • Dridex Malware Now Attacking macOS Systems with Novel Infection Method
  • Cyber attacks on UK organisations surged 77% in 2022, new research finds
  • WhatsApp to combat internet blackouts with proxy server support
  • The IT Pro Podcast: Going passwordless
  • Podcast transcript: Going passwordless

Copyright © TheCyberSecurity.News, All Rights Reserved.