The developer of NGINX, F5 Networks, has announced a zero-day vulnerability on NGINX LDAP reference implementation at end of the first week of April. Now, they have additional information and a mitigation guide for the bug.

Some conditions are required for exploitation

The company states that NGINX Open Source and NGINX Plus are not affected by the vulnerability by themselves. So there is no action required if the reference implementation is not used. However, if LDAP reference implementation is used, any of the following conditions will cause vulnerability in the systems:

Command-line parameters are used to configure the Python daemon There are unused, optional configuration parameters LDAP authentication depends on specific group membership

F5 Networks has also published the mitigation solutions for those conditions, separately. You can see the mitigations below; respective to conditions’ ordering:

1- Ensure that any extraneous request headers are ignored during authentication by adding the following configuration to the location = /auth-proxy block in the NGINX configuration:

location = /auth-proxy { ... proxy_pass_request_headers off; proxy_set_header Authorization $http_authorization; # If using Basic auth ... }

2- This is defended in the same way, by adding the following configuration to the location = /auth-proxy block in the NGINX configuration:

location = /auth-proxy { ... proxy_pass_request_headers off; proxy_set_header Authorization $http_authorization; # If using Basic auth ... }

3- Ensure that the backend daemon that presents the login form strips any special characters from the username field.

According to research by Netcraft, NGINX is serving 23.21% of the million busiest websites as of January 2021.