Headline
CVE-2021-40874: [Security: low, CVE-2021-40874] RESTServer pwdConfirm always returns true with Combination + Kerberos (#2612) · Issues · LemonLDAP NG / lemonldap-ng · GitLab
An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) and using the Kerberos authentication method combined with another method with the Combination authentication plug-in, any password will be recognized as valid for an existing user.
Concerned version
Version: 2.0.13
Summary
Summarize the bug encountered concisely
- Enable restPasswordServer
- Configure Combination [Kerberos, Demo] or [Demo] (works with LDAP too)
- use /proxy/pwdConfirm to validate dwho/wrongpassword => returns true
Logs
[debug] Entering REST pwdConfirm method
[debug] Processing getUser
[debug] Processing authenticate
[debug] -> authResult = 0
Because authenticate always returns OK in Auth::Kerberos
See also #2611
Low severity because this feature is probably not used by anyone. To successfully exploit this, a user must have deployed another application that relies on pwdConfirm to validate passwords (such as another LLNG instance using Auth::REST)
Edited Sep 13, 2021 by