CVE-2023-28862
📋 TL;DR
This vulnerability in LemonLDAP::NG allows attackers to bypass two-factor authentication (2FA) by exploiting weak session ID generation in the AuthBasic handler and incorrect failure handling during password checks. Any system using LemonLDAP::NG for authentication with 2FA enabled is affected. The vulnerability specifically impacts sessions created through the AuthBasic authentication method.
💻 Affected Systems
- LemonLDAP::NG
📦 What is this software?
Lemonldap\ by Lemonldap Ng
⚠️ Risk & Real-World Impact
Worst Case
Attackers can completely bypass 2FA protection and gain unauthorized access to protected systems and data as authenticated users.
Likely Case
Attackers bypass 2FA requirements to access systems that should require multi-factor authentication, potentially leading to data breaches or privilege escalation.
If Mitigated
With proper network segmentation and additional authentication layers, impact is limited to the specific LemonLDAP::NG instance, but 2FA bypass remains possible.
🎯 Exploit Status
Exploitation requires valid credentials but bypasses 2FA. The vulnerability is in the session creation logic rather than requiring complex exploitation techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.16.1
Vendor Advisory: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.16.1
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Upgrade LemonLDAP::NG to version 2.16.1 or later. 3. Restart the LemonLDAP::NG service. 4. Verify the upgrade was successful.
🔧 Temporary Workarounds
Disable AuthBasic Handler
allTemporarily disable the AuthBasic authentication handler if not required for your use case.
Edit LemonLDAP::NG configuration to remove or disable AuthBasic handler
Implement Additional Session Validation
allAdd custom session validation checks to ensure 2FA requirements are enforced.
Implement custom session validation in LemonLDAP::NG configuration
🧯 If You Can't Patch
- Implement network-level controls to restrict access to LemonLDAP::NG instances
- Add additional authentication layers before protected resources
🔍 How to Verify
Check if Vulnerable:
Check LemonLDAP::NG version. If version is earlier than 2.16.1 and AuthBasic handler with 2FA is enabled, the system is vulnerable.Check Version:
perl -MLemonldap::NG::Common -e 'print $Lemonldap::NG::Common::VERSION'Verify Fix Applied:
Verify LemonLDAP::NG version is 2.16.1 or later and test 2FA functionality with AuthBasic authentication.📡 Detection & Monitoring
Log Indicators:
- AuthBasic authentication attempts that bypass 2FA requirements
- Session creation without proper 2FA validation in logs
Network Indicators:
- Authentication requests to LemonLDAP::NG that should require 2FA but don't
SIEM Query:
source="lemonldap-ng.log" AND ("AuthBasic" OR "session creation") AND NOT "2FA"🔗 References
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.16.1
- https://lists.debian.org/debian-lts-announce/2023/07/msg00018.html
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896
- https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/releases/v2.16.1
- https://lists.debian.org/debian-lts-announce/2023/07/msg00018.html
