CVE-2021-35473
📋 TL;DR
This vulnerability in LemonLDAP::NG allows attackers to use expired OAuth2 access tokens to bypass authentication and access protected resources. It affects all LemonLDAP::NG deployments using OAuth2/OIDC functionality between versions 2.0.4 and 2.0.11. Systems using LemonLDAP::NG for authentication and authorization are vulnerable to unauthorized access.
💻 Affected Systems
- LemonLDAP::NG
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass allowing unauthorized access to all protected resources and services behind LemonLDAP::NG, potentially leading to data theft, privilege escalation, and full system compromise.
Likely Case
Unauthorized access to protected applications and services using expired OAuth2 tokens, potentially exposing sensitive data and functionality to attackers.
If Mitigated
Limited impact with proper network segmentation, additional authentication layers, and monitoring for suspicious token usage patterns.
🎯 Exploit Status
Exploitation requires an attacker to obtain an expired OAuth2 access token from a legitimate OIDC client. The vulnerability is simple to exploit once an expired token is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.12
Vendor Advisory: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2549
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Upgrade LemonLDAP::NG to version 2.0.12 or later. 3. Restart LemonLDAP::NG services. 4. Verify OAuth2/OIDC functionality works correctly.
🔧 Temporary Workarounds
Disable OAuth2/OIDC functionality
allTemporarily disable OAuth2 and OIDC authentication methods if not essential
Modify LemonLDAP::NG configuration to remove OAuth2/OIDC handlers
Implement token validation proxy
allAdd a reverse proxy that validates OAuth2 token expiration before forwarding to LemonLDAP::NG
🧯 If You Can't Patch
- Implement network segmentation to isolate LemonLDAP::NG instances from critical resources
- Deploy additional authentication layers (MFA) for protected resources and monitor for unusual access patterns
🔍 How to Verify
Check if Vulnerable:
Check LemonLDAP::NG version: if between 2.0.4 and 2.0.11 and OAuth2/OIDC is enabled, system is vulnerableCheck Version:
perl -MLemonldap::NG::Common -e 'print $Lemonldap::NG::Common::VERSION'Verify Fix Applied:
Verify version is 2.0.12 or later and test OAuth2 token expiration validation📡 Detection & Monitoring
Log Indicators:
- Successful authentication with expired OAuth2 tokens
- Multiple access attempts with same token after expiration
- Unusual access patterns from OIDC clients
Network Indicators:
- OAuth2 token requests without expiration validation
- Authentication bypass patterns in HTTP headers
SIEM Query:
source="lemonldap.log" AND ("expired token" OR "token validation failed")