CVE-2021-40874
📋 TL;DR
This vulnerability allows authentication bypass in LemonLDAP::NG when using the RESTServer plugin with Kerberos authentication combined with another method via the Combination plugin. Any password will be accepted as valid for existing users, enabling unauthorized access. Organizations using LemonLDAP::NG with these specific configurations are affected.
💻 Affected Systems
- LemonLDAP::NG (lemonldap-ng)
📦 What is this software?
Lemonldap\ by Lemonldap Ng
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to all systems protected by the vulnerable LemonLDAP::NG instance, leading to complete compromise of authentication infrastructure and downstream systems.
Likely Case
Attackers bypass authentication to access protected applications and services, potentially stealing sensitive data or performing unauthorized actions.
If Mitigated
With proper network segmentation and monitoring, impact is limited to specific applications behind the vulnerable authentication service.
🎯 Exploit Status
Exploitation requires knowledge of valid usernames but any password works. No authentication needed to attempt exploitation against the vulnerable service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.14
Vendor Advisory: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2612
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Upgrade to LemonLDAP::NG 2.0.14 or later. 3. Restart LemonLDAP::NG services. 4. Verify authentication works correctly.
🔧 Temporary Workarounds
Disable vulnerable configuration
linuxStop using RESTServer plugin with Kerberos+Combination authentication until patched
# Edit LemonLDAP::NG configuration to remove RESTServer plugin or change authentication methods
# Restart service: systemctl restart lemonldap-ng
🧯 If You Can't Patch
- Implement network segmentation to isolate the vulnerable LemonLDAP::NG instance
- Enable detailed authentication logging and monitor for failed/successful authentication anomalies
🔍 How to Verify
Check if Vulnerable:
Check if running version 2.0.13 with RESTServer plugin configured for Kerberos+Combination authenticationCheck Version:
llng-manager --version 2>/dev/null || dpkg -l | grep lemonldap-ng || rpm -qa | grep lemonldap-ngVerify Fix Applied:
Verify version is 2.0.14 or later and test authentication with invalid passwords (should be rejected)📡 Detection & Monitoring
Log Indicators:
- Multiple successful authentications with invalid passwords
- Authentication attempts bypassing Kerberos validation
Network Indicators:
- Unusual authentication patterns to REST password validation endpoints
- Authentication requests bypassing normal flow
SIEM Query:
source="lemonldap-ng" AND (event="authentication_success" AND password="invalid")