CVE-2020-16093 – LemonLDAP::NG versions through 2.0.8 do not val... (How to Fix)

Q: What is the severity of CVE-2020-16093?

CVE-2020-16093 has a CVSS score of 7.5 (HIGH). LemonLDAP::NG versions through 2.0.8 do not validate X.509 certificates when connecting to LDAP backends by default, allowing man-in-the-middle attacks. This affects all deployments using LDAPS connections with default configuration. Attackers could intercept or manipulate authentication traffic.

📋 TL;DR

LemonLDAP::NG versions through 2.0.8 do not validate X.509 certificates when connecting to LDAP backends by default, allowing man-in-the-middle attacks. This affects all deployments using LDAPS connections with default configuration. Attackers could intercept or manipulate authentication traffic.

💻 Affected Systems

Products:

LemonLDAP::NG (lemonldap-ng)

Versions: All versions through 2.0.8

Operating Systems: All platforms running Perl Net::LDAPS module

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects configurations using LDAPS (LDAP over SSL/TLS) connections to backends. Plain LDAP connections are not affected.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Lemonldap\ by Lemonldap Ng

View all CVEs affecting Lemonldap\ →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full credential interception leading to account compromise, privilege escalation, and unauthorized access to protected resources.

🟠

Likely Case

Authentication bypass or credential theft through LDAP interception, potentially granting unauthorized access to applications behind LemonLDAP::NG.

🟢

If Mitigated

Limited to denial of service if certificate validation fails, with proper network segmentation preventing interception.

🌐 Internet-Facing: HIGH - Internet-facing LemonLDAP::NG instances are vulnerable to MITM attacks from external attackers.

🏢 Internal Only: MEDIUM - Internal deployments still vulnerable to insider threats or compromised internal systems performing MITM attacks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network position to intercept LDAPS traffic. No authentication needed to perform MITM attack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.0.8

Vendor Advisory: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2250

Restart Required: Yes

Instructions:

1. Upgrade to LemonLDAP::NG version after 2.0.8. 2. Update configuration to explicitly enable certificate validation. 3. Restart LemonLDAP::NG services.

🔧 Temporary Workarounds

Enable certificate validation in configuration

all

Modify LemonLDAP::NG configuration to force certificate validation for LDAPS connections

Edit lemonldap-ng.ini and set 'verify' => 'require' for LDAP backend connections

Use LDAP instead of LDAPS with internal encryption

all

Switch to plain LDAP with TLS encryption handled at network layer (VPN, IPSec)

Change backend configuration from ldaps:// to ldap:// and implement network-level encryption

🧯 If You Can't Patch

Implement network segmentation to isolate LDAPS traffic from potential attackers
Deploy certificate pinning or use internal CA with strict validation

🔍 How to Verify

Check if Vulnerable:

Check LemonLDAP::NG version and verify if LDAPS backend connections have certificate validation disabled in configuration

Check Version:

perl -MLemonldap::NG::Portal -e 'print $Lemonldap::NG::Portal::VERSION'

Verify Fix Applied:

Confirm version is >2.0.8 and check that LDAPS connections have 'verify' parameter set to 'require' or higher

📡 Detection & Monitoring

Log Indicators:

LDAPS connection failures without certificate validation errors
Unexpected authentication successes from unusual locations

Network Indicators:

Unencrypted LDAP traffic despite LDAPS configuration
MITM tools intercepting LDAPS ports

SIEM Query:

source="lemonldap-ng" AND (event="authentication" AND result="success") AND src_ip NOT IN trusted_networks

📊 Metadata

CVE ID: CVE-2020-16093

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-295

Published: July 18, 2022

Last Updated: November 21, 2024

🔗 References

https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2250 Exploit,Issue Tracking,Patch,Third Party Advisory
https://lemonldap-ng.org/download Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00027.html Mailing List,Third Party Advisory
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2250 Exploit,Issue Tracking,Patch,Third Party Advisory
https://lemonldap-ng.org/download Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/01/msg00027.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-16093, you might also want to check these: