CVE-2020-23148 – This LDAP injection vulnerability in rConfig al... (How to Fix)

Q: What is the severity of CVE-2020-23148?

CVE-2020-23148 has a CVSS score of 7.5 (HIGH). This LDAP injection vulnerability in rConfig allows attackers to manipulate LDAP queries by sending crafted POST requests to the login endpoint. Attackers can potentially extract sensitive information from LDAP directories, including user credentials and organizational data. All organizations running vulnerable versions of rConfig with LDAP authentication enabled are affected.

📋 TL;DR

This LDAP injection vulnerability in rConfig allows attackers to manipulate LDAP queries by sending crafted POST requests to the login endpoint. Attackers can potentially extract sensitive information from LDAP directories, including user credentials and organizational data. All organizations running vulnerable versions of rConfig with LDAP authentication enabled are affected.

💻 Affected Systems

Products:

rConfig

Versions: 3.9.5 and potentially earlier versions

Operating Systems: All platforms running rConfig

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using LDAP authentication. Local authentication methods are not vulnerable.

📦 What is this software?

Rconfig by Rconfig

View all CVEs affecting Rconfig →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete LDAP directory compromise allowing extraction of all user credentials, sensitive organizational data, and potential lateral movement to other systems integrated with the same LDAP server.

🟠

Likely Case

Extraction of user credentials and sensitive directory information, leading to unauthorized access to rConfig and potentially other systems using the same LDAP authentication.

🟢

If Mitigated

Limited information disclosure if LDAP server has proper access controls and query restrictions in place.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is typically exposed for authentication purposes, making it directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this to gain elevated privileges or access sensitive information.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted POST requests to the vulnerable endpoint. No authentication is required as this is a login function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.6 or later

Vendor Advisory: https://github.com/rconfig/rconfig/security/advisories

Restart Required: No

Instructions:

1. Update rConfig to version 3.9.6 or later. 2. Apply the patch that properly sanitizes the userLogin parameter in ldap/login.php. 3. Verify the fix by testing LDAP authentication functionality.

🔧 Temporary Workarounds

Disable LDAP Authentication

all

Temporarily disable LDAP authentication and use local authentication only

Modify rConfig configuration to disable LDAP authentication

Web Application Firewall Rules

all

Implement WAF rules to block LDAP injection patterns in POST requests to login.php

Add WAF rules to detect and block LDAP injection patterns in userLogin parameter

🧯 If You Can't Patch

Implement network segmentation to restrict access to rConfig login endpoints
Enable detailed logging and monitoring for suspicious LDAP query patterns

🔍 How to Verify

Check if Vulnerable:

Check if running rConfig version 3.9.5 or earlier with LDAP authentication enabled. Review the ldap/login.php file for unsanitized userLogin parameter usage.

Check Version:

Check rConfig version in admin interface or review version files in installation directory

Verify Fix Applied:

Verify the ldap/login.php file properly sanitizes user input. Test LDAP authentication with various inputs to ensure injection attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual LDAP query patterns in authentication logs
Failed login attempts with special characters in username field
Multiple authentication attempts with varying LDAP filter syntax

Network Indicators:

POST requests to /ldap/login.php containing LDAP filter syntax characters like (, ), *, &, |, =

SIEM Query:

source="web_logs" AND uri="/ldap/login.php" AND (request_body CONTAINS "*" OR request_body CONTAINS "(" OR request_body CONTAINS ")" OR request_body CONTAINS "&" OR request_body CONTAINS "|")

📊 Metadata

CVE ID: CVE-2020-23148

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-74

Published: August 9, 2021

Last Updated: November 21, 2024

🔗 References

https://cwe.mitre.org/data/definitions/90.html Third Party Advisory
https://github.com/rconfig/rconfig/blob/7ef8bd8d606bc10835e1b8f6f72a2048094816d3/www/ldap/authenticate.php#L34 Exploit,Third Party Advisory
https://cwe.mitre.org/data/definitions/90.html Third Party Advisory
https://github.com/rconfig/rconfig/blob/7ef8bd8d606bc10835e1b8f6f72a2048094816d3/www/ldap/authenticate.php#L34 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-23148, you might also want to check these: