CVE-2018-12421 – CVE-2018-12421 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2018-12421?

CVE-2018-12421 has a CVSS score of 9.8 (CRITICAL). CVE-2018-12421 is an authentication bypass vulnerability in LTB Self Service Password that allows attackers to change any user's password without knowing the current password. This affects all users of Self Service Password versions before 1.3. The vulnerability exists due to improper handling of ldap_bind return values and PHP data type issues.

📋 TL;DR

CVE-2018-12421 is an authentication bypass vulnerability in LTB Self Service Password that allows attackers to change any user's password without knowing the current password. This affects all users of Self Service Password versions before 1.3. The vulnerability exists due to improper handling of ldap_bind return values and PHP data type issues.

💻 Affected Systems

Products:

LTB Self Service Password

Versions: All versions before 1.3

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations with the password change functionality enabled.

📦 What is this software?

Ldap Tool Box Self Service Password by Ltb Project

View all CVEs affecting Ldap Tool Box Self Service Password →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete domain compromise through password reset of administrative accounts, leading to data theft, privilege escalation, and lateral movement.

🟠

Likely Case

Unauthorized password changes for regular users, enabling account takeover and potential access to sensitive systems.

🟢

If Mitigated

Limited impact with proper network segmentation, monitoring, and multi-factor authentication in place.

🌐 Internet-Facing: HIGH - Web-accessible password reset functionality can be exploited remotely without authentication.

🏢 Internal Only: HIGH - Even internally accessible instances can be exploited by malicious insiders or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a crafted POST request to the password change endpoint. Public proof-of-concept code exists in GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3 and later

Vendor Advisory: https://lists.ltb-project.org/pipermail/ltb-announce/2018-June/000023.html

Restart Required: No

Instructions:

1. Backup current configuration. 2. Download Self Service Password version 1.3 or later from GitHub. 3. Replace existing installation files with new version. 4. Verify configuration compatibility. 5. Test password change functionality.

🔧 Temporary Workarounds

Disable password change functionality

all

Temporarily disable the password change feature until patching is complete.

# Edit configuration to disable password change
# In config.inc.php set $use_change = false;

Implement web application firewall rules

linux

Block suspicious POST requests to password change endpoints.

# Example mod_security rule
SecRule REQUEST_URI "@contains /change.php" \
    "id:1001,phase:2,deny,status:403,msg:'Blocking password change attempts'"

🧯 If You Can't Patch

Implement network-level controls to restrict access to Self Service Password interface
Enable detailed logging and monitoring for all password change attempts

🔍 How to Verify

Check if Vulnerable:

Check version in config.inc.php or by examining source files. Versions before 1.3 are vulnerable.

Check Version:

grep -r "\$version" config.inc.php || find . -name "*.php" -exec grep -l "self service password" {} \; | head -1

Verify Fix Applied:

Test password change functionality with incorrect old password - it should be rejected. Verify version is 1.3 or later.

📡 Detection & Monitoring

Log Indicators:

Failed LDAP bind attempts followed by successful password changes
Multiple password change requests from single IP
Password changes without old password validation

Network Indicators:

POST requests to /change.php with malformed parameters
Unusual traffic patterns to password reset endpoints

SIEM Query:

source="web_logs" AND uri="/change.php" AND status=200 AND NOT (oldpassword=*)

📊 Metadata

CVE ID: CVE-2018-12421

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-640

Published: June 14, 2018

Last Updated: November 21, 2024

🔗 References

https://github.com/ltb-project/self-service-password/issues/209 Third Party Advisory
https://github.com/ltb-project/self-service-password/issues/211 Third Party Advisory
https://lists.ltb-project.org/pipermail/ltb-announce/2018-June/000023.html Mailing List,Patch,Vendor Advisory
https://github.com/ltb-project/self-service-password/issues/209 Third Party Advisory
https://github.com/ltb-project/self-service-password/issues/211 Third Party Advisory
https://lists.ltb-project.org/pipermail/ltb-announce/2018-June/000023.html Mailing List,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-12421, you might also want to check these: