CVE-2019-12046
📋 TL;DR
CVE-2019-12046 is an incorrect access control vulnerability in LemonLDAP::NG 2.0.3 that allows attackers to bypass authentication and authorization mechanisms. This affects systems using LemonLDAP::NG for single sign-on and web access management, potentially exposing protected applications and data.
💻 Affected Systems
- LemonLDAP::NG
📦 What is this software?
Lemonldap\ by Lemonldap Ng
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all applications protected by LemonLDAP::NG, allowing unauthorized access to sensitive data and administrative functions across the entire SSO infrastructure.
Likely Case
Unauthorized access to protected applications and data, potentially leading to data breaches, privilege escalation, and lateral movement within the network.
If Mitigated
Limited impact with proper network segmentation and additional authentication layers, though core SSO functionality remains compromised.
🎯 Exploit Status
The vulnerability is in the core access control logic, making exploitation straightforward once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.4 and later
Vendor Advisory: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Download LemonLDAP::NG 2.0.4 or later from https://lemonldap-ng.org/download. 3. Follow upgrade instructions in the documentation. 4. Restart LemonLDAP::NG services. 5. Verify functionality.
🔧 Temporary Workarounds
Network Isolation
linuxRestrict access to LemonLDAP::NG instances to trusted networks only
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement additional authentication layer (e.g., VPN, client certificates) before LemonLDAP::NG
- Monitor all authentication attempts and access logs for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check LemonLDAP::NG version: grep 'version' /etc/lemonldap-ng/lemonldap-ng.ini or check package managerCheck Version:
perl -MLemonldap::NG::Common -e 'print $Lemonldap::NG::Common::VERSION'Verify Fix Applied:
Verify version is 2.0.4 or later and test authentication/authorization functionality📡 Detection & Monitoring
Log Indicators:
- Unexpected successful authentications
- Access from unusual IP addresses
- Authentication bypass patterns in access logs
Network Indicators:
- Unusual authentication traffic patterns
- Access to protected resources without proper authentication flow
SIEM Query:
source="lemonldap-ng.log" (event="authentication_success" AND src_ip NOT IN [trusted_ips]) OR (event="authorization_bypass")🔗 References
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commits/master
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1743
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1744
- https://lemonldap-ng.org/download
- https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-1-9-19-is-out/
- https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-4-is-out/
- https://seclists.org/bugtraq/2019/May/38
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commits/master
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1743
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1744
- https://lemonldap-ng.org/download
- https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-1-9-19-is-out/
- https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-4-is-out/
- https://seclists.org/bugtraq/2019/May/38
