CVE-2019-11187 – This vulnerability allows authentication bypass... (How to Fix)

Q: What is the severity of CVE-2019-11187?

CVE-2019-11187 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows authentication bypass in GONICUS GOsa LDAP systems. An attacker can log into any account containing the substring 'success' (case-insensitive) using any password. All GOsa installations through April 11, 2019 are affected.

📋 TL;DR

This vulnerability allows authentication bypass in GONICUS GOsa LDAP systems. An attacker can log into any account containing the substring 'success' (case-insensitive) using any password. All GOsa installations through April 11, 2019 are affected.

💻 Affected Systems

Products:

GONICUS GOsa

Versions: All versions through 2019-04-11

Operating Systems: Linux/Unix systems running GOsa

Default Config Vulnerable: ⚠️ Yes

Notes: Affects LDAP authentication module specifically. Any GOsa installation with default configuration is vulnerable.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Gosa by Gonicus

View all CVEs affecting Gosa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via administrative account takeover, leading to data exfiltration, privilege escalation, and lateral movement across the network.

🟠

Likely Case

Unauthorized access to user accounts containing 'success' in usernames, potentially exposing sensitive data and enabling further attacks.

🟢

If Mitigated

Limited impact if proper network segmentation and monitoring are in place, though authentication bypass remains a critical issue.

🌐 Internet-Facing: HIGH - If GOsa is exposed to the internet, attackers can easily exploit this without authentication.

🏢 Internal Only: HIGH - Even internally, this allows privilege escalation and lateral movement within the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and is trivial to execute with simple HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2019-04-11

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2019/08/msg00009.html

Restart Required: Yes

Instructions:

1. Update GOsa to version after 2019-04-11. 2. Apply patches from GitHub repository. 3. Restart GOsa services. 4. Verify LDAP authentication is functioning correctly.

🔧 Temporary Workarounds

Username Filtering

linux

Temporarily block or rename accounts containing 'success' substring in usernames

ldapsearch -x -b 'ou=people,dc=example,dc=com' 'uid=*success*' | grep uid
ldapmodify -x -D 'cn=admin,dc=example,dc=com' -W -f rename.ldif

🧯 If You Can't Patch

Implement network segmentation to isolate GOsa instances from critical systems
Enable detailed authentication logging and monitor for suspicious login attempts

🔍 How to Verify

Check if Vulnerable:

Attempt to authenticate with any username containing 'success' and any password via GOsa web interface or API

Check Version:

grep 'Version' /usr/share/gosa/version.txt || dpkg -l | grep gosa

Verify Fix Applied:

After patching, verify that authentication with 'success' substring usernames and incorrect passwords fails

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts for usernames containing 'success'
Successful logins from unusual IP addresses with 'success' in username

Network Indicators:

HTTP POST requests to authentication endpoints with 'success' in username parameters

SIEM Query:

source="gosa.log" AND (username="*success*" OR user="*success*") AND (action="login" OR action="authenticate")

📊 Metadata

CVE ID: CVE-2019-11187

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: August 15, 2019

Last Updated: November 21, 2024

🔗 References

https://github.com/gonicus/gosa/commits/master Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00009.html Mailing List,Third Party Advisory
https://github.com/gonicus/gosa/commits/master Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00009.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-11187, you might also want to check these: