CVE-2019-15941
📋 TL;DR
This vulnerability allows attackers to bypass access control rules in LemonLDAP::NG's OpenID Connect Issuer by crafting malicious authorization requests. Attackers can exploit weaker access control rules in one OIDC Relaying Party to gain unauthorized access to another RP with stricter controls. Organizations using LemonLDAP::NG 2.x through 2.0.5 with OIDC configurations are affected.
💻 Affected Systems
- LemonLDAP::NG
📦 What is this software?
Lemonldap\ by Lemonldap Ng
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass allowing unauthorized access to protected resources and sensitive data across all applications relying on LemonLDAP::NG for authentication.
Likely Case
Unauthorized access to specific applications or services that should be protected by stronger access controls, potentially leading to data exposure or privilege escalation.
If Mitigated
Limited impact with proper URI filtering and access control validation, potentially preventing successful exploitation.
🎯 Exploit Status
Exploitation requires understanding of OIDC configuration and access control rule differences between RPs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.6
Vendor Advisory: https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-6-is-out/
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Upgrade to LemonLDAP::NG 2.0.6 or later. 3. Restart LemonLDAP::NG services. 4. Verify configuration compatibility with new version.
🔧 Temporary Workarounds
Implement URI filtering
allAdd strict filtering on redirection URIs in OIDC configuration to prevent crafted requests.
Edit LemonLDAP::NG configuration to enforce strict URI validation for all OIDC Relaying Parties
Equalize access control rules
allEnsure all OIDC Relaying Parties have consistent access control rules to eliminate rule differentials.
Review and standardize access control rules across all OIDC RPs in configuration
🧯 If You Can't Patch
- Implement strict network segmentation to isolate LemonLDAP::NG instances from untrusted networks
- Deploy WAF rules to detect and block suspicious OIDC authorization requests
🔍 How to Verify
Check if Vulnerable:
Check LemonLDAP::NG version and review OIDC configuration for multiple RPs with varying access control rules and lack of URI filtering.Check Version:
lemonldap-ng-manager --version or check package manager (apt show lemonldap-ng, yum info lemonldap-ng)Verify Fix Applied:
Verify version is 2.0.6 or later and test OIDC authorization flows to ensure access controls are properly enforced.📡 Detection & Monitoring
Log Indicators:
- Unusual OIDC authorization requests
- Access attempts bypassing expected authentication flows
- Requests to unexpected redirection URIs
Network Indicators:
- Suspicious OIDC authorization parameter manipulation
- Requests attempting to chain different RP configurations
SIEM Query:
source="lemonldap-ng" AND (event="oidc_auth" AND (uri_contains="crafted" OR params_contains="bypass"))🔗 References
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1881
- https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-6-is-out/
- https://seclists.org/bugtraq/2019/Sep/46
- https://www.debian.org/security/2019/dsa-4533
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1881
- https://projects.ow2.org/view/lemonldap-ng/lemonldap-ng-2-0-6-is-out/
- https://seclists.org/bugtraq/2019/Sep/46
- https://www.debian.org/security/2019/dsa-4533
